CVE-2020-25856 - OpenCVE

The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network's PSK in order to exploit this.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Realtek	Rtl8195a Rtl8195a Firmware

Configuration 1 [-]

AND

cpe:2.3:o:realtek:rtl8195a_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/

History

No history.

MITRE

Status: PUBLISHED

Assigner: VDOO

Published: 2021-02-03T16:49:02

Updated: 2024-08-04T15:49:05.936Z

Reserved: 2020-09-23T00:00:00

Link: CVE-2020-25856

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-02-03T17:15:15.420

Modified: 2021-02-08T18:53:53.647

Link: CVE-2020-25856

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Realtek RTL8195A Wi-Fi Module", "vendor": "n/a", "versions": [{"status": "affected", "version": "Versions before 2020-04-21 (up to and excluding 2.08)"}]}], "descriptions": [{"lang": "en", "value": "The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network's PSK in order to exploit this."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "Stack buffer overflow (CWE-121)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-03T16:49:02", "orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24", "shortName": "VDOO"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vuln@vdoo.com", "ID": "CVE-2020-25856", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Realtek RTL8195A Wi-Fi Module", "version": {"version_data": [{"version_value": "Versions before 2020-04-21 (up to and excluding 2.08)"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network's PSK in order to exploit this."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Stack buffer overflow (CWE-121)"}]}]}, "references": {"reference_data": [{"name": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/", "refsource": "CONFIRM", "url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:49:05.936Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"}]}]}, "cveMetadata": {"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24", "assignerShortName": "VDOO", "cveId": "CVE-2020-25856", "datePublished": "2021-02-03T16:49:02", "dateReserved": "2020-09-23T00:00:00", "dateUpdated": "2024-08-04T15:49:05.936Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:realtek:rtl8195a_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "24D4DC02-E833-483C-885F-9E168E5F8A4C", "versionEndExcluding": "2.08", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*", "matchCriteriaId": "62A37D39-5134-4AFE-9F59-C8C36A113B04", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The function DecWPA2KeyData() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network's PSK in order to exploit this."}, {"lang": "es", "value": "La funci\u00f3n DecWPA2KeyData() en el m\u00f3dulo Wi-Fi Realtek RTL8195A anterior a versiones publicadas en Abril de 2020 (hasta y excluyendo la 2.08), no comprueba el par\u00e1metro size para una operaci\u00f3n rtl_memcpy(), resulta en un desbordamiento del b\u00fafer de la pila que puede ser explotada para una ejecuci\u00f3n de c\u00f3digo remota o una denegaci\u00f3n de servicio. Un atacante puede hacerse pasar por un Access Point y atacar a un cliente Wi-Fi vulnerable al inyectar un paquete dise\u00f1ado en el protocolo de enlace WPA2. El atacante necesita conocer el PSK de la red para explotar esto"}], "id": "CVE-2020-25856", "lastModified": "2021-02-08T18:53:53.647", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-03T17:15:15.420", "references": [{"source": "vuln@vdoo.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"}], "sourceIdentifier": "vuln@vdoo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-121"}], "source": "vuln@vdoo.com", "type": "Secondary"}]}