Security researchers have uncovered multiple vulnerabilities in Realtek’s SD card reader driver, RtsPer.sys, affecting numerous laptops from major manufacturers, including Dell, Lenovo, HP, and MSI.
These flaws, some of which have remained undisclosed for years, could allow attackers to leak kernel memory, write to arbitrary kernel addresses, and even access physical memory from user mode.
Multiple Vulnerabilities Uncovered
The vulnerabilities, discovered by an independent researcher, span across several CVE identifiers:
- CVE-2022-25477: Leaking driver logs
- CVE-2022-25478: Accessing PCI config space
- CVE-2022-25479: Leaking kernel pool and stack
- CVE-2022-25480: Writing beyond IRP::SystemBuffer
- CVE-2024-40432: Writing beyond IRP::SystemBuffer
- CVE-2024-40431: Writing to arbitrary kernel address
- CVE-2022-25476: Accessing the DMA controller
The most critical of these, CVE-2024-40431, when combined with CVE-2022-25479, allows for arbitrary writing to kernel memory.
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
This could potentially be exploited to disable driver signature enforcement, a key Windows security feature.
The affected SD card reader models include RTS5227, RTS5228, RTS522A, RTS5249, RTS524A, RTS5250, RTS525A, RTS5287, RTS5260, RTS5261, and RTS5264.
The potential impact is significant due to the widespread use of these readers in laptops from various manufacturers. Exploitation of these vulnerabilities could lead to privilege escalation, information disclosure, and system compromise.
In one demonstration, the researcher temporarily disabled driver signature checks, allowing the loading of an unsigned driver.
The vulnerabilities stem from various issues in the driver, including improper handling of SCSI commands, inadequate input validation, and insufficient checks on memory operations.
Some of these flaws have persisted through multiple fix attempts by Realtek. While Realtek has released patches for these vulnerabilities, the researcher noted that the company’s response became “slow and reluctant” over time.
The fixed version of RtsPer.sys is 10.0.26100.21374 or higher, released sometime in July or August 2023.
Users of affected laptops are strongly advised to update their SD card reader drivers as soon as possible.
However, due to the nature of driver updates, many users may remain vulnerable if their OEMs do not push the updates through their standard channels.
This incident highlights the potential security risks associated with common hardware components and their drivers.
It also underscores the importance of thorough security audits for widely-used drivers, as vulnerabilities in these components can have far-reaching consequences across multiple device manufacturers.
As the Internet of Things (IoT) continues to expand and more devices incorporate various hardware components, the security of drivers and firmware becomes increasingly critical.
This case serves as a reminder for both hardware manufacturers and OEMs to prioritize security throughout their supply chain and to maintain vigilance in addressing vulnerabilities promptly.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!