CVE-2020-25857 - OpenCVE

The function ClientEAPOLKeyRecvd() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network's PSK.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Realtek	Rtl8195a Rtl8195a Firmware

Configuration 1 [-]

AND

cpe:2.3:o:realtek:rtl8195a_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/

History

No history.

MITRE

Status: PUBLISHED

Assigner: VDOO

Published: 2021-02-03T16:48:59

Updated: 2024-08-04T15:49:05.909Z

Reserved: 2020-09-23T00:00:00

Link: CVE-2020-25857

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-02-03T17:15:15.747

Modified: 2021-02-08T19:19:26.510

Link: CVE-2020-25857

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Realtek RTL8195A Wi-Fi Module", "vendor": "n/a", "versions": [{"status": "affected", "version": "Versions before 2020-04-21 (up to and excluding 2.08)"}]}], "descriptions": [{"lang": "en", "value": "The function ClientEAPOLKeyRecvd() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network's PSK."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "Stack buffer overflow (CWE-121)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-03T16:48:59", "orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24", "shortName": "VDOO"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vuln@vdoo.com", "ID": "CVE-2020-25857", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Realtek RTL8195A Wi-Fi Module", "version": {"version_data": [{"version_value": "Versions before 2020-04-21 (up to and excluding 2.08)"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The function ClientEAPOLKeyRecvd() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network's PSK."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Stack buffer overflow (CWE-121)"}]}]}, "references": {"reference_data": [{"name": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/", "refsource": "CONFIRM", "url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:49:05.909Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"}]}]}, "cveMetadata": {"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24", "assignerShortName": "VDOO", "cveId": "CVE-2020-25857", "datePublished": "2021-02-03T16:48:59", "dateReserved": "2020-09-23T00:00:00", "dateUpdated": "2024-08-04T15:49:05.909Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:realtek:rtl8195a_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "24D4DC02-E833-483C-885F-9E168E5F8A4C", "versionEndExcluding": "2.08", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*", "matchCriteriaId": "62A37D39-5134-4AFE-9F59-C8C36A113B04", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The function ClientEAPOLKeyRecvd() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an rtl_memcpy() operation, resulting in a stack buffer overflow which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network's PSK."}, {"lang": "es", "value": "La funci\u00f3n ClientEAPOLKeyRecvd() en el m\u00f3dulo Wi-Fi Realtek RTL8195A anterior a versiones publicadas en Abril de 2020 (hasta y excluyendo la 2.08), no comprueba el par\u00e1metro size para una operaci\u00f3n rtl_memcpy(), resultando en un desbordamiento del b\u00fafer de la pila que puede ser explotada para una denegaci\u00f3n de servicio. Un atacante puede hacerse pasar por un Access Point y atacar a un cliente Wi-Fi vulnerable al inyectar un paquete dise\u00f1ado en el protocolo de enlace WPA2. El atacante no necesita conocer el PSK de la red"}], "id": "CVE-2020-25857", "lastModified": "2021-02-08T19:19:26.510", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-03T17:15:15.747", "references": [{"source": "vuln@vdoo.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"}], "sourceIdentifier": "vuln@vdoo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-121"}], "source": "vuln@vdoo.com", "type": "Secondary"}]}