CVE-2020-25855

The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network's PSK in order to exploit this.

CVSS v3 8.1 HIGH
CVSS v2.0 6.8 MEDIUM

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:realtek:rtl8195a_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*

History

08 Feb 2021, 18:50

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.8 v3 : 8.1
References	~~(CONFIRM) https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/ -~~	(CONFIRM) https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/ - Exploit, Third Party Advisory
CPE		cpe:2.3:h:realtek:rtl8195a:-:::::::* cpe:2.3:o:realtek:rtl8195a_firmware::::::::
CWE		CWE-787

03 Feb 2021, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-02-03 17:15

Updated : 2023-12-10 13:41

NVD link : CVE-2020-25855

Mitre link : CVE-2020-25855

CVE.ORG link : CVE-2020-25855

JSON object : View

Products Affected

realtek

rtl8195a
rtl8195a_firmware

CWE

CWE-787

Out-of-bounds Write

CWE-121

Stack-based Buffer Overflow

{"id": "CVE-2020-25855", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2021-02-03T17:15:15.043", "references": [{"url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/", "tags": ["Exploit", "Third Party Advisory"], "source": "vuln@vdoo.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}, {"type": "Secondary", "source": "vuln@vdoo.com", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "The function AES_UnWRAP() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for a memcpy() operation, resulting in a stack buffer overflow which can be exploited for remote code execution or denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker needs to know the network's PSK in order to exploit this."}, {"lang": "es", "value": "La funci\u00f3n AES_UnWRAP() en el m\u00f3dulo Wi-Fi Realtek RTL8195A anterior a versiones publicadas en Abril de 2020 (hasta y excluyendo la 2.08), no comprueba el par\u00e1metro size para una operaci\u00f3n memcpy(), resultando en un desbordamiento del b\u00fafer de la pila que puede ser explotado para una ejecuci\u00f3n de c\u00f3digo remota o una denegaci\u00f3n de servicio. Un atacante puede hacerse pasar por un Access Point y atacar a un cliente Wi-Fi vulnerable al inyectar un paquete dise\u00f1ado en el protocolo de enlace WPA2. El atacante necesita conocer el PSK de la red para explotar esto"}], "lastModified": "2021-02-08T18:50:40.420", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:realtek:rtl8195a_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "24D4DC02-E833-483C-885F-9E168E5F8A4C", "versionEndExcluding": "2.08"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "62A37D39-5134-4AFE-9F59-C8C36A113B04"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "vuln@vdoo.com"}