CVE-2021-35394 is a critical, remote code execution security vulnerability that affects Realtek Jungle SDK.
Rated 9.8 on the CVSS 3.x Severity and Metrics scale, the vulnerability has been weaponized by attackers in ongoing malicious campaigns which were initiated in August 2022. According to Palo Alto’s Unit 42 researchers, at least 134 million exploit attempts have been recorded up until December last year.
The team “discovered that between August and October 2022, the number of attacks attempting to exploit a Realtek Jungle SDK remote code execution vulnerability (CVE-2021-35394) accounted for more than 40% of the total number of attacks.”
“As of December 2022, we’ve observed 134 million exploit attempts in total leveraging this vulnerability, and about 97% of these attacks occurred after the start of August 2022. At the time of writing, the attack is still ongoing,” the report added.
CVE-2021-35394: What Is Known So Far
According to the official description provided by National Vulnerability Database, at fault for the flaw is a tool called MP Daemon:
Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called ‘MP Daemon’ that is usually compiled as ‘UDPServer’ binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.
It is noteworthy that CVE-2021-35394 affects 190 models of devices from 66 manufacturers. As for the high success rate of the attacks, the researchers believe that the flaw has been weaponized by so many threat actors “because supply chain issues can make it difficult for the average user to identify the affected products that are being exploited.”
Attacks against CVE-2021-35394 Deliver Malware
In most of the attacks, the researchers observed malware delivery attempts against vulnerable IoT devices. In other words, attackers are using the flaw to perform large-scale attacks. Because IoT devices and routers are often excluded from organizations’ security routines, many devices and companies can be at risk, Unit 42 warned.
The analysis reveals that the malware samples from the attack attempts come from popular malware families, including Mirai, Gafgyt and Mozi, as well as a new DDoS botnet written in Golang called RedGoBot.
“If you confirm that a device has been affected by the malware referenced in this post, it is necessary to apply a factory reset on the device and reinstall the latest version of its software,” the report concluded.