Realtek is a Taiwanese semiconductor company specializing in audio, WiFi, and peripheral connectivity solutions, which enjoys high levels of market penetration. As such, whenever a nasty flaw is found on its products, either on the software or hardware level, it affects a wide range of products, and it’s practically difficult to address. In the most recent example of that, a team of researchers has found four critical vulnerabilities in Realtek’s SDK that affect 200 device models from 65 vendors - and possibly hundreds of thousands of IoTs out there.
The four flaws, along with a short description, are the following:
The researchers who discovered the above flaws contacted Realtek on May 17, 2021, and provided PoC scripts as required. Realtek patched the identified issues by June 10, 2021, except for the 2.x branch, which is 11 years old and is no longer supported. This also means the four flaws have plagued some Realtek products for over a decade now. As the report points out, some of the vendors had access to the Realtek SDK source code, so they missed the flaws or didn’t care enough to put effort into scrutinizing their supply chain.
Getting the fixes downstream is a complicated matter now, as device vendors will have to prepare and push their own patches. The manufacturers listed as affected include ASUS, Belkin, Beeline, D-Link, Huawei, LG, Logitech, Netgear, TCL, ZTE, and Zyxel, so the impact is pretty wide. The full list of the affected models is given in the detailed report, so you can check for yourself. Realtek has also published an advisory which you may check here.