Remote code execution flaws lurk in countless routers, IoT gear, cameras using Realtek Wi-Fi module SDKs Taiwanese chip designer Realtek has warned of four vulnerabilities in three SDKs accompanying its Wi-Fi modules, which are used in almost 200 products made by more than five dozen vendors. The flaws allow a remote, unauthenticated attacker to deny service, crash devices, and inject arbitrary commands, the advisory states [PDF …
Problem in this case is that no-one buys a Realtek product. They buy a Netgear router with a Realtek wireless module. So there's not much more Realtek can do in this instance.
I couldn't have told you what chipset my router uses until I googled it 5 minutes ago. It's Qualcomm. From memory, it's usually going to be 1 of 4 - Realtek, Qualcomm, Broadcom or Intel.
...to hell.
I woudl imagine that most of the devices affected have no real update mechanism, certainly no automated method and will rely on people to log in to them and apply an update through some archaic scripts or maybe they will have a button in the GUI that will allow something to happen sometime if the untrained user can find the right file on the right website.
My guess is arond 10% of affected devices will be updated.
Rule 1. Design to be manged, not to finish the project as quickly as possible.
Rule 2. Make it do simple your grandmother could do it.
"My guess is arond 10% of affected devices will be updated."
I admire your optimism. My guess would probably be at least two orders of magnitude lower because it sounds like most devices using this chip are consumer-level. Many people don't recognize networking equipment as needing the same level of attention to detail as their computers. Manufacturers in turn seem to think that it should have maybe two years of support life, if I'm optimistic, despite the fact that lots of decade-old networking kit works just as well if security isn't factored in.
Rule 1. No, that costs money.
Rule 2. No, that costs money.
Here's a few rules that you'll find most manufacturers adhere to.
Basic coding errors, as usual.
The buffer overflow has been on the radar for around half century, and command injection ever since the web went public, so why do they still keep cropping up? Does anyone test their code for anything except minimal functionality?
Answers on a postcard please ;-(
Many years ago when doing custom ROMs for Android phones Realtek made itself known to my conscious mind. Not in a good way.
Closed source, buggy, unmaintained drivers for the cheapest GARBAGE hardware in the industry describes my experience. OH! Did I mention that they will disavow they ever heard of a chip not 5 years later; not 1 year later; but while the last batch is still on the loading dock as each little dip package waits breathlessly to RUIN the day of some unsuspecting customer somewhere.
There is literally NOTHING this shite organization could do that would surprise me. The only reason they are not involved in CCP spying is because they are too incompetent to put the right code on the right chips.
LOL. True. Realtek .OMG. Truly low end. However, the price point was always amazing! We used to use their Ethernet boards (ISA, BTW). and they were CAD$12 vs the next closest at $30 and worked pretty well. But, if we were building X white boxes, we'd always order 20% more because, guaranteed, we'd have that many DOA. It was our first lesson in you get what you pay for. Driver updates, if you could navigate the website to find them, were kinda sparse.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
