Search criteria
21 vulnerabilities found for rtl8195a_firmware by realtek
FKIE_CVE-2020-27302
Vulnerability from fkie_nvd - Published: 2021-06-04 13:15 - Updated: 2024-11-21 05:21
Severity ?
Summary
A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the "memcpy" function, when an attacker in Wi-Fi range sends a crafted "Encrypted GTK" value as part of the WPA2 4-way-handshake.
References
| URL | Tags | ||
|---|---|---|---|
| vuln@vdoo.com | https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| realtek | rtl8710c_firmware | - | |
| realtek | rtl8710c | - | |
| realtek | rtl8195a_firmware | - | |
| realtek | rtl8195a | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:realtek:rtl8710c_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1F44702F-DFF5-4797-BA71-6CF5591782CF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:realtek:rtl8710c:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DEB9942A-10B7-4838-B437-DA3F842CAA66",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:realtek:rtl8195a_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5C242328-36B8-4995-8174-378EDB8E6A7A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "62A37D39-5134-4AFE-9F59-C8C36A113B04",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the \"memcpy\" function, when an attacker in Wi-Fi range sends a crafted \"Encrypted GTK\" value as part of the WPA2 4-way-handshake."
},
{
"lang": "es",
"value": "Un desbordamiento del b\u00fafer de la pila en el Realtek RTL8710 (y otros dispositivos basados en Ameba) puede conllevar a una ejecuci\u00f3n de c\u00f3digo remota por medio de la funci\u00f3n \"memcpy\", cuando un atacante en el rango de la Wi-Fi env\u00eda un valor \"Encrypted GTK\" dise\u00f1ado como parte del 4-way-handshake de WPA2"
}
],
"id": "CVE-2020-27302",
"lastModified": "2024-11-21T05:21:01.207",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.7,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-04T13:15:08.660",
"references": [
{
"source": "vuln@vdoo.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"
}
],
"sourceIdentifier": "vuln@vdoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-27301
Vulnerability from fkie_nvd - Published: 2021-06-04 13:15 - Updated: 2024-11-21 05:21
Severity ?
Summary
A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the "AES_UnWRAP" function, when an attacker in Wi-Fi range sends a crafted "Encrypted GTK" value as part of the WPA2 4-way-handshake.
References
| URL | Tags | ||
|---|---|---|---|
| vuln@vdoo.com | https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| realtek | rtl8710c_firmware | - | |
| realtek | rtl8710c | - | |
| realtek | rtl8195a_firmware | - | |
| realtek | rtl8195a | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:realtek:rtl8710c_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1F44702F-DFF5-4797-BA71-6CF5591782CF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:realtek:rtl8710c:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DEB9942A-10B7-4838-B437-DA3F842CAA66",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:realtek:rtl8195a_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5C242328-36B8-4995-8174-378EDB8E6A7A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "62A37D39-5134-4AFE-9F59-C8C36A113B04",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the \"AES_UnWRAP\" function, when an attacker in Wi-Fi range sends a crafted \"Encrypted GTK\" value as part of the WPA2 4-way-handshake."
},
{
"lang": "es",
"value": "Un desbordamiento del b\u00fafer de la pila en Realtek RTL8710 (y otros dispositivos basados en Ameba) puede conllevar a una ejecuci\u00f3n de c\u00f3digo remota por medio de la funci\u00f3n \"AES_UnWRAP\", cuando un atacante en el alcance del Wi-Fi env\u00eda un valor \"Encrypted GTK\" dise\u00f1ado como parte del 4-way-handshake de WPA2"
}
],
"id": "CVE-2020-27301",
"lastModified": "2024-11-21T05:21:01.093",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.7,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-04T13:15:07.750",
"references": [
{
"source": "vuln@vdoo.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"
}
],
"sourceIdentifier": "vuln@vdoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-25855
Vulnerability from fkie_nvd - Published: 2021-02-03 17:15 - Updated: 2024-11-21 05:18
Severity ?
Summary
The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network's PSK in order to exploit this.
References
| URL | Tags | ||
|---|---|---|---|
| vuln@vdoo.com | https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| realtek | rtl8195a_firmware | * | |
| realtek | rtl8195a | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:realtek:rtl8195a_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24D4DC02-E833-483C-885F-9E168E5F8A4C",
"versionEndExcluding": "2.08",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "62A37D39-5134-4AFE-9F59-C8C36A113B04",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
},
{
"lang": "es",
"value": "La funci\u00f3n AES_UnWRAP() en el m\u00f3dulo Wi-Fi Realtek RTL8195A anterior a versiones publicadas en Abril de 2020 (hasta y excluyendo la 2.08), no comprueba el par\u00e1metro size para una operaci\u00f3n memcpy(), resultando en un desbordamiento del b\u00fafer de la pila que puede ser explotado para una ejecuci\u00f3n de c\u00f3digo remota o una denegaci\u00f3n de servicio.\u0026#xa0;Un atacante puede hacerse pasar por un Access Point y atacar a un cliente Wi-Fi vulnerable al inyectar un paquete dise\u00f1ado en el protocolo de enlace WPA2.\u0026#xa0;El atacante necesita conocer el PSK de la red para explotar esto"
}
],
"id": "CVE-2020-25855",
"lastModified": "2024-11-21T05:18:54.690",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-03T17:15:15.043",
"references": [
{
"source": "vuln@vdoo.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"sourceIdentifier": "vuln@vdoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-121"
}
],
"source": "vuln@vdoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-25856
Vulnerability from fkie_nvd - Published: 2021-02-03 17:15 - Updated: 2024-11-21 05:18
Severity ?
Summary
The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network's PSK in order to exploit this.
References
| URL | Tags | ||
|---|---|---|---|
| vuln@vdoo.com | https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| realtek | rtl8195a_firmware | * | |
| realtek | rtl8195a | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:realtek:rtl8195a_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24D4DC02-E833-483C-885F-9E168E5F8A4C",
"versionEndExcluding": "2.08",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "62A37D39-5134-4AFE-9F59-C8C36A113B04",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
},
{
"lang": "es",
"value": "La funci\u00f3n DecWPA2KeyData() en el m\u00f3dulo Wi-Fi Realtek RTL8195A anterior a versiones publicadas en Abril de 2020 (hasta y excluyendo la 2.08), no comprueba el par\u00e1metro size para una operaci\u00f3n rtl_memcpy(), resulta en un desbordamiento del b\u00fafer de la pila que puede ser explotada para una ejecuci\u00f3n de c\u00f3digo remota o una denegaci\u00f3n de servicio.\u0026#xa0;Un atacante puede hacerse pasar por un Access Point y atacar a un cliente Wi-Fi vulnerable al inyectar un paquete dise\u00f1ado en el protocolo de enlace WPA2.\u0026#xa0;El atacante necesita conocer el PSK de la red para explotar esto"
}
],
"id": "CVE-2020-25856",
"lastModified": "2024-11-21T05:18:54.840",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-03T17:15:15.420",
"references": [
{
"source": "vuln@vdoo.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"sourceIdentifier": "vuln@vdoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-121"
}
],
"source": "vuln@vdoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-25857
Vulnerability from fkie_nvd - Published: 2021-02-03 17:15 - Updated: 2024-11-21 05:18
Severity ?
Summary
The function ClientEAPOLKeyRecvd() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network's PSK.
References
| URL | Tags | ||
|---|---|---|---|
| vuln@vdoo.com | https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| realtek | rtl8195a_firmware | * | |
| realtek | rtl8195a | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:realtek:rtl8195a_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24D4DC02-E833-483C-885F-9E168E5F8A4C",
"versionEndExcluding": "2.08",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "62A37D39-5134-4AFE-9F59-C8C36A113B04",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The function ClientEAPOLKeyRecvd() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network\u0027s PSK."
},
{
"lang": "es",
"value": "La funci\u00f3n ClientEAPOLKeyRecvd() en el m\u00f3dulo Wi-Fi Realtek RTL8195A anterior a versiones publicadas en Abril de 2020 (hasta y excluyendo la 2.08), no comprueba el par\u00e1metro size para una operaci\u00f3n rtl_memcpy(), resultando en un desbordamiento del b\u00fafer de la pila que puede ser explotada para una denegaci\u00f3n de servicio.\u0026#xa0;Un atacante puede hacerse pasar por un Access Point y atacar a un cliente Wi-Fi vulnerable al inyectar un paquete dise\u00f1ado en el protocolo de enlace WPA2.\u0026#xa0;El atacante no necesita conocer el PSK de la red"
}
],
"id": "CVE-2020-25857",
"lastModified": "2024-11-21T05:18:54.987",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-03T17:15:15.747",
"references": [
{
"source": "vuln@vdoo.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"sourceIdentifier": "vuln@vdoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-121"
}
],
"source": "vuln@vdoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-25853
Vulnerability from fkie_nvd - Published: 2021-02-03 17:15 - Updated: 2024-11-21 05:18
Severity ?
Summary
The function CheckMic() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, _rt_md5_hmac_veneer() or _rt_hmac_sha1_veneer(), resulting in a stack buffer over-read which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network's PSK.
References
| URL | Tags | ||
|---|---|---|---|
| vuln@vdoo.com | https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| realtek | rtl8195a_firmware | * | |
| realtek | rtl8195a | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:realtek:rtl8195a_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24D4DC02-E833-483C-885F-9E168E5F8A4C",
"versionEndExcluding": "2.08",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "62A37D39-5134-4AFE-9F59-C8C36A113B04",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The function CheckMic() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, _rt_md5_hmac_veneer() or _rt_hmac_sha1_veneer(), resulting in a stack buffer over-read which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network\u0027s PSK."
},
{
"lang": "es",
"value": "La funci\u00f3n CheckMic() en el m\u00f3dulo Wi-Fi Realtek RTL8195A anterior a versiones publicadas en Abril de 2020 (hasta y excluyendo la 2.08), no comprueba el par\u00e1metro size para una funci\u00f3n interna, _rt_md5_hmac_veneer() o _rt_hmac_sha1_veneer(), resulta en una lectura excesiva del b\u00fafer de pila que puede ser explotada para una denegaci\u00f3n de servicio.\u0026#xa0;Un atacante puede hacerse pasar por un Access Point y atacar a un cliente Wi-Fi vulnerable al inyectar un paquete dise\u00f1ado en el protocolo de enlace WPA2.\u0026#xa0;El atacante no necesita conocer el PSK de la red"
}
],
"id": "CVE-2020-25853",
"lastModified": "2024-11-21T05:18:54.377",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-03T17:15:14.187",
"references": [
{
"source": "vuln@vdoo.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"sourceIdentifier": "vuln@vdoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-126"
}
],
"source": "vuln@vdoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-125"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-25854
Vulnerability from fkie_nvd - Published: 2021-02-03 17:15 - Updated: 2024-11-21 05:18
Severity ?
Summary
The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, rt_arc4_crypt_veneer() or _AES_UnWRAP_veneer(), resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network's PSK in order to exploit this.
References
| URL | Tags | ||
|---|---|---|---|
| vuln@vdoo.com | https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| realtek | rtl8195a_firmware | * | |
| realtek | rtl8195a | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:realtek:rtl8195a_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24D4DC02-E833-483C-885F-9E168E5F8A4C",
"versionEndExcluding": "2.08",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "62A37D39-5134-4AFE-9F59-C8C36A113B04",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, rt_arc4_crypt_veneer() or _AES_UnWRAP_veneer(), resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
},
{
"lang": "es",
"value": "La funci\u00f3n DecWPA2KeyData() en el m\u00f3dulo Wi-Fi Realtek RTL8195A anterior a versiones publicadas en Abril de 2020 (hasta y excluyendo la 2.08), no comprueba el par\u00e1metro size para una funci\u00f3n interna, rt_arc4_crypt_veneer() o _AES_UnWRAP_veneer(), resulta en un desbordamiento del b\u00fafer de la pila que puede ser explotado para una ejecuci\u00f3n de c\u00f3digo remota o una denegaci\u00f3n de servicio.\u0026#xa0;Un atacante puede hacerse pasar por un Access Point y atacar a un cliente Wi-Fi vulnerable al inyectar un paquete dise\u00f1ado en el protocolo de enlace WPA2.\u0026#xa0;El atacante necesita conocer el PSK de la red para explotar esto"
}
],
"id": "CVE-2020-25854",
"lastModified": "2024-11-21T05:18:54.527",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-03T17:15:14.747",
"references": [
{
"source": "vuln@vdoo.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"sourceIdentifier": "vuln@vdoo.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-121"
}
],
"source": "vuln@vdoo.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2020-27302 (GCVE-0-2020-27302)
Vulnerability from cvelistv5 – Published: 2021-06-04 12:24 – Updated: 2024-08-04 16:11
VLAI?
Summary
A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the "memcpy" function, when an attacker in Wi-Fi range sends a crafted "Encrypted GTK" value as part of the WPA2 4-way-handshake.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:11:36.582Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the \"memcpy\" function, when an attacker in Wi-Fi range sends a crafted \"Encrypted GTK\" value as part of the WPA2 4-way-handshake."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-04T12:24:41",
"orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"shortName": "VDOO"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vuln@vdoo.com",
"ID": "CVE-2020-27302",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the \"memcpy\" function, when an attacker in Wi-Fi range sends a crafted \"Encrypted GTK\" value as part of the WPA2 4-way-handshake."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day",
"refsource": "MISC",
"url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"assignerShortName": "VDOO",
"cveId": "CVE-2020-27302",
"datePublished": "2021-06-04T12:24:41",
"dateReserved": "2020-10-19T00:00:00",
"dateUpdated": "2024-08-04T16:11:36.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27301 (GCVE-0-2020-27301)
Vulnerability from cvelistv5 – Published: 2021-06-04 12:24 – Updated: 2024-08-04 16:11
VLAI?
Summary
A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the "AES_UnWRAP" function, when an attacker in Wi-Fi range sends a crafted "Encrypted GTK" value as part of the WPA2 4-way-handshake.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:11:36.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the \"AES_UnWRAP\" function, when an attacker in Wi-Fi range sends a crafted \"Encrypted GTK\" value as part of the WPA2 4-way-handshake."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-04T12:24:37",
"orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"shortName": "VDOO"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vuln@vdoo.com",
"ID": "CVE-2020-27301",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the \"AES_UnWRAP\" function, when an attacker in Wi-Fi range sends a crafted \"Encrypted GTK\" value as part of the WPA2 4-way-handshake."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day",
"refsource": "MISC",
"url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"assignerShortName": "VDOO",
"cveId": "CVE-2020-27301",
"datePublished": "2021-06-04T12:24:37",
"dateReserved": "2020-10-19T00:00:00",
"dateUpdated": "2024-08-04T16:11:36.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25853 (GCVE-0-2020-25853)
Vulnerability from cvelistv5 – Published: 2021-02-03 16:49 – Updated: 2024-08-04 15:49
VLAI?
Summary
The function CheckMic() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, _rt_md5_hmac_veneer() or _rt_hmac_sha1_veneer(), resulting in a stack buffer over-read which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network's PSK.
Severity ?
No CVSS data available.
CWE
- CWE-126 - Stack buffer over-read (CWE-126)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Realtek RTL8195A Wi-Fi Module |
Affected:
Versions before 2020-04-21 (up to and excluding 2.08)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:05.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Realtek RTL8195A Wi-Fi Module",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The function CheckMic() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, _rt_md5_hmac_veneer() or _rt_hmac_sha1_veneer(), resulting in a stack buffer over-read which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network\u0027s PSK."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-126",
"description": "Stack buffer over-read (CWE-126)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-03T16:49:20",
"orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"shortName": "VDOO"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vuln@vdoo.com",
"ID": "CVE-2020-25853",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Realtek RTL8195A Wi-Fi Module",
"version": {
"version_data": [
{
"version_value": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The function CheckMic() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, _rt_md5_hmac_veneer() or _rt_hmac_sha1_veneer(), resulting in a stack buffer over-read which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network\u0027s PSK."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stack buffer over-read (CWE-126)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/",
"refsource": "CONFIRM",
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"assignerShortName": "VDOO",
"cveId": "CVE-2020-25853",
"datePublished": "2021-02-03T16:49:20",
"dateReserved": "2020-09-23T00:00:00",
"dateUpdated": "2024-08-04T15:49:05.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25854 (GCVE-0-2020-25854)
Vulnerability from cvelistv5 – Published: 2021-02-03 16:49 – Updated: 2024-08-04 15:49
VLAI?
Summary
The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, rt_arc4_crypt_veneer() or _AES_UnWRAP_veneer(), resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network's PSK in order to exploit this.
Severity ?
No CVSS data available.
CWE
- CWE-121 - Stack buffer overflow (CWE-121)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Realtek RTL8195A Wi-Fi Module |
Affected:
Versions before 2020-04-21 (up to and excluding 2.08)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:05.429Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Realtek RTL8195A Wi-Fi Module",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, rt_arc4_crypt_veneer() or _AES_UnWRAP_veneer(), resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack buffer overflow (CWE-121)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-03T16:49:08",
"orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"shortName": "VDOO"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vuln@vdoo.com",
"ID": "CVE-2020-25854",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Realtek RTL8195A Wi-Fi Module",
"version": {
"version_data": [
{
"version_value": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, rt_arc4_crypt_veneer() or _AES_UnWRAP_veneer(), resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stack buffer overflow (CWE-121)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/",
"refsource": "CONFIRM",
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"assignerShortName": "VDOO",
"cveId": "CVE-2020-25854",
"datePublished": "2021-02-03T16:49:08",
"dateReserved": "2020-09-23T00:00:00",
"dateUpdated": "2024-08-04T15:49:05.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25855 (GCVE-0-2020-25855)
Vulnerability from cvelistv5 – Published: 2021-02-03 16:49 – Updated: 2024-08-04 15:49
VLAI?
Summary
The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network's PSK in order to exploit this.
Severity ?
No CVSS data available.
CWE
- CWE-121 - Stack buffer overflow (CWE-121)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Realtek RTL8195A Wi-Fi Module |
Affected:
Versions before 2020-04-21 (up to and excluding 2.08)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:05.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Realtek RTL8195A Wi-Fi Module",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack buffer overflow (CWE-121)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-03T16:49:05",
"orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"shortName": "VDOO"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vuln@vdoo.com",
"ID": "CVE-2020-25855",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Realtek RTL8195A Wi-Fi Module",
"version": {
"version_data": [
{
"version_value": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stack buffer overflow (CWE-121)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/",
"refsource": "CONFIRM",
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"assignerShortName": "VDOO",
"cveId": "CVE-2020-25855",
"datePublished": "2021-02-03T16:49:05",
"dateReserved": "2020-09-23T00:00:00",
"dateUpdated": "2024-08-04T15:49:05.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25856 (GCVE-0-2020-25856)
Vulnerability from cvelistv5 – Published: 2021-02-03 16:49 – Updated: 2024-08-04 15:49
VLAI?
Summary
The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network's PSK in order to exploit this.
Severity ?
No CVSS data available.
CWE
- CWE-121 - Stack buffer overflow (CWE-121)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Realtek RTL8195A Wi-Fi Module |
Affected:
Versions before 2020-04-21 (up to and excluding 2.08)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:05.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Realtek RTL8195A Wi-Fi Module",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack buffer overflow (CWE-121)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-03T16:49:02",
"orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"shortName": "VDOO"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vuln@vdoo.com",
"ID": "CVE-2020-25856",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Realtek RTL8195A Wi-Fi Module",
"version": {
"version_data": [
{
"version_value": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stack buffer overflow (CWE-121)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/",
"refsource": "CONFIRM",
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"assignerShortName": "VDOO",
"cveId": "CVE-2020-25856",
"datePublished": "2021-02-03T16:49:02",
"dateReserved": "2020-09-23T00:00:00",
"dateUpdated": "2024-08-04T15:49:05.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25857 (GCVE-0-2020-25857)
Vulnerability from cvelistv5 – Published: 2021-02-03 16:48 – Updated: 2024-08-04 15:49
VLAI?
Summary
The function ClientEAPOLKeyRecvd() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network's PSK.
Severity ?
No CVSS data available.
CWE
- CWE-121 - Stack buffer overflow (CWE-121)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Realtek RTL8195A Wi-Fi Module |
Affected:
Versions before 2020-04-21 (up to and excluding 2.08)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:05.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Realtek RTL8195A Wi-Fi Module",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The function ClientEAPOLKeyRecvd() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network\u0027s PSK."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack buffer overflow (CWE-121)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-03T16:48:59",
"orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"shortName": "VDOO"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vuln@vdoo.com",
"ID": "CVE-2020-25857",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Realtek RTL8195A Wi-Fi Module",
"version": {
"version_data": [
{
"version_value": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The function ClientEAPOLKeyRecvd() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network\u0027s PSK."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stack buffer overflow (CWE-121)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/",
"refsource": "CONFIRM",
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"assignerShortName": "VDOO",
"cveId": "CVE-2020-25857",
"datePublished": "2021-02-03T16:48:59",
"dateReserved": "2020-09-23T00:00:00",
"dateUpdated": "2024-08-04T15:49:05.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27302 (GCVE-0-2020-27302)
Vulnerability from nvd – Published: 2021-06-04 12:24 – Updated: 2024-08-04 16:11
VLAI?
Summary
A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the "memcpy" function, when an attacker in Wi-Fi range sends a crafted "Encrypted GTK" value as part of the WPA2 4-way-handshake.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:11:36.582Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the \"memcpy\" function, when an attacker in Wi-Fi range sends a crafted \"Encrypted GTK\" value as part of the WPA2 4-way-handshake."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-04T12:24:41",
"orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"shortName": "VDOO"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vuln@vdoo.com",
"ID": "CVE-2020-27302",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the \"memcpy\" function, when an attacker in Wi-Fi range sends a crafted \"Encrypted GTK\" value as part of the WPA2 4-way-handshake."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day",
"refsource": "MISC",
"url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"assignerShortName": "VDOO",
"cveId": "CVE-2020-27302",
"datePublished": "2021-06-04T12:24:41",
"dateReserved": "2020-10-19T00:00:00",
"dateUpdated": "2024-08-04T16:11:36.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27301 (GCVE-0-2020-27301)
Vulnerability from nvd – Published: 2021-06-04 12:24 – Updated: 2024-08-04 16:11
VLAI?
Summary
A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the "AES_UnWRAP" function, when an attacker in Wi-Fi range sends a crafted "Encrypted GTK" value as part of the WPA2 4-way-handshake.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:11:36.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the \"AES_UnWRAP\" function, when an attacker in Wi-Fi range sends a crafted \"Encrypted GTK\" value as part of the WPA2 4-way-handshake."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-04T12:24:37",
"orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"shortName": "VDOO"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vuln@vdoo.com",
"ID": "CVE-2020-27301",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the \"AES_UnWRAP\" function, when an attacker in Wi-Fi range sends a crafted \"Encrypted GTK\" value as part of the WPA2 4-way-handshake."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day",
"refsource": "MISC",
"url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"assignerShortName": "VDOO",
"cveId": "CVE-2020-27301",
"datePublished": "2021-06-04T12:24:37",
"dateReserved": "2020-10-19T00:00:00",
"dateUpdated": "2024-08-04T16:11:36.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25853 (GCVE-0-2020-25853)
Vulnerability from nvd – Published: 2021-02-03 16:49 – Updated: 2024-08-04 15:49
VLAI?
Summary
The function CheckMic() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, _rt_md5_hmac_veneer() or _rt_hmac_sha1_veneer(), resulting in a stack buffer over-read which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network's PSK.
Severity ?
No CVSS data available.
CWE
- CWE-126 - Stack buffer over-read (CWE-126)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Realtek RTL8195A Wi-Fi Module |
Affected:
Versions before 2020-04-21 (up to and excluding 2.08)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:05.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Realtek RTL8195A Wi-Fi Module",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The function CheckMic() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, _rt_md5_hmac_veneer() or _rt_hmac_sha1_veneer(), resulting in a stack buffer over-read which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network\u0027s PSK."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-126",
"description": "Stack buffer over-read (CWE-126)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-03T16:49:20",
"orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"shortName": "VDOO"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vuln@vdoo.com",
"ID": "CVE-2020-25853",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Realtek RTL8195A Wi-Fi Module",
"version": {
"version_data": [
{
"version_value": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The function CheckMic() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, _rt_md5_hmac_veneer() or _rt_hmac_sha1_veneer(), resulting in a stack buffer over-read which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network\u0027s PSK."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stack buffer over-read (CWE-126)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/",
"refsource": "CONFIRM",
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"assignerShortName": "VDOO",
"cveId": "CVE-2020-25853",
"datePublished": "2021-02-03T16:49:20",
"dateReserved": "2020-09-23T00:00:00",
"dateUpdated": "2024-08-04T15:49:05.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25854 (GCVE-0-2020-25854)
Vulnerability from nvd – Published: 2021-02-03 16:49 – Updated: 2024-08-04 15:49
VLAI?
Summary
The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, rt_arc4_crypt_veneer() or _AES_UnWRAP_veneer(), resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network's PSK in order to exploit this.
Severity ?
No CVSS data available.
CWE
- CWE-121 - Stack buffer overflow (CWE-121)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Realtek RTL8195A Wi-Fi Module |
Affected:
Versions before 2020-04-21 (up to and excluding 2.08)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:05.429Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Realtek RTL8195A Wi-Fi Module",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, rt_arc4_crypt_veneer() or _AES_UnWRAP_veneer(), resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack buffer overflow (CWE-121)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-03T16:49:08",
"orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"shortName": "VDOO"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vuln@vdoo.com",
"ID": "CVE-2020-25854",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Realtek RTL8195A Wi-Fi Module",
"version": {
"version_data": [
{
"version_value": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, rt_arc4_crypt_veneer() or _AES_UnWRAP_veneer(), resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stack buffer overflow (CWE-121)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/",
"refsource": "CONFIRM",
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"assignerShortName": "VDOO",
"cveId": "CVE-2020-25854",
"datePublished": "2021-02-03T16:49:08",
"dateReserved": "2020-09-23T00:00:00",
"dateUpdated": "2024-08-04T15:49:05.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25855 (GCVE-0-2020-25855)
Vulnerability from nvd – Published: 2021-02-03 16:49 – Updated: 2024-08-04 15:49
VLAI?
Summary
The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network's PSK in order to exploit this.
Severity ?
No CVSS data available.
CWE
- CWE-121 - Stack buffer overflow (CWE-121)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Realtek RTL8195A Wi-Fi Module |
Affected:
Versions before 2020-04-21 (up to and excluding 2.08)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:05.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Realtek RTL8195A Wi-Fi Module",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack buffer overflow (CWE-121)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-03T16:49:05",
"orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"shortName": "VDOO"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vuln@vdoo.com",
"ID": "CVE-2020-25855",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Realtek RTL8195A Wi-Fi Module",
"version": {
"version_data": [
{
"version_value": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stack buffer overflow (CWE-121)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/",
"refsource": "CONFIRM",
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"assignerShortName": "VDOO",
"cveId": "CVE-2020-25855",
"datePublished": "2021-02-03T16:49:05",
"dateReserved": "2020-09-23T00:00:00",
"dateUpdated": "2024-08-04T15:49:05.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25856 (GCVE-0-2020-25856)
Vulnerability from nvd – Published: 2021-02-03 16:49 – Updated: 2024-08-04 15:49
VLAI?
Summary
The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network's PSK in order to exploit this.
Severity ?
No CVSS data available.
CWE
- CWE-121 - Stack buffer overflow (CWE-121)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Realtek RTL8195A Wi-Fi Module |
Affected:
Versions before 2020-04-21 (up to and excluding 2.08)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:05.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Realtek RTL8195A Wi-Fi Module",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack buffer overflow (CWE-121)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-03T16:49:02",
"orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"shortName": "VDOO"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vuln@vdoo.com",
"ID": "CVE-2020-25856",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Realtek RTL8195A Wi-Fi Module",
"version": {
"version_data": [
{
"version_value": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stack buffer overflow (CWE-121)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/",
"refsource": "CONFIRM",
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"assignerShortName": "VDOO",
"cveId": "CVE-2020-25856",
"datePublished": "2021-02-03T16:49:02",
"dateReserved": "2020-09-23T00:00:00",
"dateUpdated": "2024-08-04T15:49:05.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25857 (GCVE-0-2020-25857)
Vulnerability from nvd – Published: 2021-02-03 16:48 – Updated: 2024-08-04 15:49
VLAI?
Summary
The function ClientEAPOLKeyRecvd() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network's PSK.
Severity ?
No CVSS data available.
CWE
- CWE-121 - Stack buffer overflow (CWE-121)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Realtek RTL8195A Wi-Fi Module |
Affected:
Versions before 2020-04-21 (up to and excluding 2.08)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:05.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Realtek RTL8195A Wi-Fi Module",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The function ClientEAPOLKeyRecvd() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network\u0027s PSK."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack buffer overflow (CWE-121)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-03T16:48:59",
"orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"shortName": "VDOO"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vuln@vdoo.com",
"ID": "CVE-2020-25857",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Realtek RTL8195A Wi-Fi Module",
"version": {
"version_data": [
{
"version_value": "Versions before 2020-04-21 (up to and excluding 2.08)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The function ClientEAPOLKeyRecvd() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network\u0027s PSK."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stack buffer overflow (CWE-121)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/",
"refsource": "CONFIRM",
"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
"assignerShortName": "VDOO",
"cveId": "CVE-2020-25857",
"datePublished": "2021-02-03T16:48:59",
"dateReserved": "2020-09-23T00:00:00",
"dateUpdated": "2024-08-04T15:49:05.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}