Cymulate’s honeypot network was able to track a massive load of exploitation of CVE-2022-27255 - RCE: with the the Suricata signature - “ET EXPLOIT Realtek eCos RSDK/MSDK Stack-based Buffer Overflow Attempt Inbound” ID: “2038669”CVE-2022-27255 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27255]: Realtek eCos RSDK 1.5.7p1 and MSDK 4.9.4p1, the SIP ALG function that rewrites SDP data has a stack-based buffer overflow. This allows an attacker to remotely execute code without authentication via a crafted SIP packet that contains malicious SDP data.
We think that these new attacks are related to the Infobyte demonstration on Defcon of a new vulnerability they found.
The POC exploit provided by infobyte’s can be found on their github: https://github.com/infobyte/cve-2022-27255/tree/main/exploits_nexxt
Their github includes both analysis (test to see if you are vulnerable or not) and also the POC of the exploitation.This easily means that attackers follow all kinds of security conferences to gain new methods of attacks and exploits.
List of vulnerable router devices that attackers are trying to exploit:
- Nexxt Nebula 300 Plus
- Tenda F6 V5.0
- Tenda F3 V3
- Tenda F9 V2.0
- Tenda AC5 V3.0
- Tenda AC6 V5.0
- Tenda AC7 V4.0
- Tenda A9 V3
- Tenda AC8 V2.0
- Tenda AC10 V3
- Tenda AC11 V2.0
- Tenda FH456 V4.0
- Zyxel NBG6615 V1.00
- Intelbras RF 301K V1.1.15
- Multilaser AC1200 RE018
- iBall 300M-MIMO (iB-WRB303N)
- Brostrend AC1200 extender
- MT-Link MT-WR850N
- MT-Link MT-WR950N
- Everest EWR-301
- D-Link DIR-822 h/w version B
- Speedefy K4
- Ultra-Link Wireless N300 Universal Range Extender
- Keo KLR 301
- QPCOM QP-WR347N
- NEXT 504N
- Nisuta NS-WIR303N (probably V2)
- Rockspace AC2100 Dual Band Wi-Fi Range Extender
- KNUP KP-R04
- Hikvision DS-3WR12-E
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27255