Aperçu
A critical remote code execution vulnerability exists in Realtek SDK's miniigd UPnP/SOAP service. The vulnerability allows unauthenticated remote attackers to execute arbitrary code by sending specially crafted NewInternalClient SOAP requests. This vulnerability has been extensively exploited in the wild and is used by multiple malware families including Mirai botnet variants. La vulnérabilité a été divulguée le May 1, 2015. CISA a identifié CVE-2014-8361 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The miniigd (Minimal IGD/Internet Gateway Device) SOAP service in Realtek SDK fails to properly validate input parameters in SOAP NewInternalClient requests. The vulnerability exists in the UPnP/SOAP interface, which is commonly exposed on port 5000/TCP and other alternative ports on affected routers. The flaw allows attackers to execute arbitrary shell commands by injecting commands into specific SOAP request parameters, particularly in parameters that are processed without adequate sanitization before being passed to shell execution functions.
La vulnérabilité est classifiée comme CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) etCWE-94 (Improper Control of Generation of Code ('Code Injection')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Successful exploitation allows complete compromise of affected routers and embedded devices. Attackers can: (1) Execute arbitrary commands with root privileges, (2) Install malware or botnet agents (Mirai, Hajime, etc.), (3) Turn the device into a botnet node for DDoS attacks, (4) Harvest credentials and sensitive data from the device, (5) Pivot to internal network resources, (6) Modify firmware or persistent configurations, (7) Disrupt network services and connectivity. This vulnerability has been extensively leveraged in real-world attacks, particularly for IoT botnet recruitment. Devices remain vulnerable even if fully patched at the application level, as the vulnerability is in the underlying SDK.
Mitigation et contournements
Comme contournements temporaires : disable upnp/miniigd service if not required. access router administration interface and disable upnp functionality in settings. this completely prevents exploitation of this specific vulnerability.; restrict network access to the upnp/miniigd service (typically port 5000/tcp) using firewall rules. block inbound connections to upnp ports from untrusted networks.; isolate vulnerable iot devices on a separate network segment with restricted access to the main network and internet.; keep devices behind a firewall that blocks or restricts upnp traffic from external networks., et replace affected routers/devices with newer models that have been updated with patched sdk versions or have upnp disabled by default..
Recommandation de CISA : Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Ressources additionnelles
Source : Ce rapport a été généré par IA
