CVE-2020-27301 - OpenCVE

A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the "AES_UnWRAP" function, when an attacker in Wi-Fi range sends a crafted "Encrypted GTK" value as part of the WPA2 4-way-handshake.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:A/AC:L/Au:S/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Realtek	Rtl8195a Rtl8195a Firmware Rtl8710c Rtl8710c Firmware

Configuration 1 [-]

AND

cpe:2.3:o:realtek:rtl8710c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:realtek:rtl8710c:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:realtek:rtl8195a_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day

History

No history.

MITRE

Status: PUBLISHED

Assigner: VDOO

Published: 2021-06-04T12:24:37

Updated: 2024-08-04T16:11:36.577Z

Reserved: 2020-10-19T00:00:00

Link: CVE-2020-27301

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-06-04T13:15:07.750

Modified: 2021-06-14T18:07:06.830

Link: CVE-2020-27301

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the \"AES_UnWRAP\" function, when an attacker in Wi-Fi range sends a crafted \"Encrypted GTK\" value as part of the WPA2 4-way-handshake."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-06-04T12:24:37", "orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24", "shortName": "VDOO"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vuln@vdoo.com", "ID": "CVE-2020-27301", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the \"AES_UnWRAP\" function, when an attacker in Wi-Fi range sends a crafted \"Encrypted GTK\" value as part of the WPA2 4-way-handshake."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day", "refsource": "MISC", "url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:11:36.577Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"}]}]}, "cveMetadata": {"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24", "assignerShortName": "VDOO", "cveId": "CVE-2020-27301", "datePublished": "2021-06-04T12:24:37", "dateReserved": "2020-10-19T00:00:00", "dateUpdated": "2024-08-04T16:11:36.577Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:realtek:rtl8710c_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "1F44702F-DFF5-4797-BA71-6CF5591782CF", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:realtek:rtl8710c:-:*:*:*:*:*:*:*", "matchCriteriaId": "DEB9942A-10B7-4838-B437-DA3F842CAA66", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:realtek:rtl8195a_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "5C242328-36B8-4995-8174-378EDB8E6A7A", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*", "matchCriteriaId": "62A37D39-5134-4AFE-9F59-C8C36A113B04", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the \"AES_UnWRAP\" function, when an attacker in Wi-Fi range sends a crafted \"Encrypted GTK\" value as part of the WPA2 4-way-handshake."}, {"lang": "es", "value": "Un desbordamiento del b\u00fafer de la pila en Realtek RTL8710 (y otros dispositivos basados en Ameba) puede conllevar a una ejecuci\u00f3n de c\u00f3digo remota por medio de la funci\u00f3n \"AES_UnWRAP\", cuando un atacante en el alcance del Wi-Fi env\u00eda un valor \"Encrypted GTK\" dise\u00f1ado como parte del 4-way-handshake de WPA2"}], "id": "CVE-2020-27301", "lastModified": "2021-06-14T18:07:06.830", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 7.7, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 5.1, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-04T13:15:07.750", "references": [{"source": "vuln@vdoo.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day"}], "sourceIdentifier": "vuln@vdoo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}