CVE-2020-25855 (GCVE-0-2020-25855)

Vulnerability from cvelistv5 – Published: 2021-02-03 16:49 – Updated: 2024-08-04 15:49
VLAI?
Summary
The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network's PSK in order to exploit this.
Severity ?
No CVSS data available.
CWE
  • CWE-121 - Stack buffer overflow (CWE-121)
Assigner
References
Impacted products
Vendor Product Version
n/a Realtek RTL8195A Wi-Fi Module Affected: Versions before 2020-04-21 (up to and excluding 2.08)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:49:05.976Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Realtek RTL8195A Wi-Fi Module",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Versions before 2020-04-21 (up to and excluding 2.08)"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack buffer overflow (CWE-121)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-03T16:49:05",
        "orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
        "shortName": "VDOO"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vuln@vdoo.com",
          "ID": "CVE-2020-25855",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Realtek RTL8195A Wi-Fi Module",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Versions before 2020-04-21 (up to and excluding 2.08)"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Stack buffer overflow (CWE-121)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/",
              "refsource": "CONFIRM",
              "url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24",
    "assignerShortName": "VDOO",
    "cveId": "CVE-2020-25855",
    "datePublished": "2021-02-03T16:49:05",
    "dateReserved": "2020-09-23T00:00:00",
    "dateUpdated": "2024-08-04T15:49:05.976Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:realtek:rtl8195a_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.08\", \"matchCriteriaId\": \"24D4DC02-E833-483C-885F-9E168E5F8A4C\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"62A37D39-5134-4AFE-9F59-C8C36A113B04\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this.\"}, {\"lang\": \"es\", \"value\": \"La funci\\u00f3n AES_UnWRAP() en el m\\u00f3dulo Wi-Fi Realtek RTL8195A anterior a versiones publicadas en Abril de 2020 (hasta y excluyendo la 2.08), no comprueba el par\\u00e1metro size para una operaci\\u00f3n memcpy(), resultando en un desbordamiento del b\\u00fafer de la pila que puede ser explotado para una ejecuci\\u00f3n de c\\u00f3digo remota o una denegaci\\u00f3n de servicio.\u0026#xa0;Un atacante puede hacerse pasar por un Access Point y atacar a un cliente Wi-Fi vulnerable al inyectar un paquete dise\\u00f1ado en el protocolo de enlace WPA2.\u0026#xa0;El atacante necesita conocer el PSK de la red para explotar esto\"}]",
      "id": "CVE-2020-25855",
      "lastModified": "2024-11-21T05:18:54.690",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-02-03T17:15:15.043",
      "references": "[{\"url\": \"https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/\", \"source\": \"vuln@vdoo.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "vuln@vdoo.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"vuln@vdoo.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-121\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-787\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-25855\",\"sourceIdentifier\":\"vuln@vdoo.com\",\"published\":\"2021-02-03T17:15:15.043\",\"lastModified\":\"2024-11-21T05:18:54.690\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network\u0027s PSK in order to exploit this.\"},{\"lang\":\"es\",\"value\":\"La funci\u00f3n AES_UnWRAP() en el m\u00f3dulo Wi-Fi Realtek RTL8195A anterior a versiones publicadas en Abril de 2020 (hasta y excluyendo la 2.08), no comprueba el par\u00e1metro size para una operaci\u00f3n memcpy(), resultando en un desbordamiento del b\u00fafer de la pila que puede ser explotado para una ejecuci\u00f3n de c\u00f3digo remota o una denegaci\u00f3n de servicio.\u0026#xa0;Un atacante puede hacerse pasar por un Access Point y atacar a un cliente Wi-Fi vulnerable al inyectar un paquete dise\u00f1ado en el protocolo de enlace WPA2.\u0026#xa0;El atacante necesita conocer el PSK de la red para explotar esto\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"vuln@vdoo.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-121\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:realtek:rtl8195a_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.08\",\"matchCriteriaId\":\"24D4DC02-E833-483C-885F-9E168E5F8A4C\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"62A37D39-5134-4AFE-9F59-C8C36A113B04\"}]}]}],\"references\":[{\"url\":\"https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/\",\"source\":\"vuln@vdoo.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.