Vulnerabilities in Realtek SD card Reader Driver Impacts Dell, Lenovo, & Others Laptops

Published on

Multiple vulnerabilities have been discovered in the Realtek SD card reader driver, RtsPer.sys, affecting a wide range of laptops from major manufacturers like Dell and Lenovo.

These vulnerabilities have been present for years, allowing non-privileged users to exploit the system by leaking kernel memory and reading and writing physical memory via Direct Memory Access (DMA).

This article delves into the specifics of these vulnerabilities, their potential impacts, and the steps taken to address them.

The vulnerabilities were first identified in January 2022 by Zwclose during an exploration of the Windows Object Manager’s \Device directory.

A permissive Access Control List (ACL) on one of the device objects led to the discovery of flaws in the RtsPer.sys driver.

Despite Realtek releasing a fix in April 2022, a critical DMA vulnerability remained unaddressed until further investigation revealed additional issues.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

The driver logs extensively, CVE-2022-25477, which weakens Kernel Address Space Layout Randomization (KASLR) by exposing the addresses of kernel mode objects.

Due to permissive ACLs on the device object, any user can access the log data. The fixed version encrypts these logs to prevent unauthorized access.

Code Snippet:

RtsPer.sys allows access to the PCI configuration space using control codes that can be exploited to cause system instability. Writing random values to Base Address Registers (BARs), CVE-2022-25478, can trigger interrupt storms, rendering the operating system unusable.

Code Snippet:

CVE-2022-25479 allows kernel memory leakage from the stack and heaps through improperly handled SCSI commands. Attackers can extract sensitive information from kernel memory by manipulating data buffer sizes.

Code Snippet:

CVE-2022-25480 and CVE-2024-40432 involve improper handling of sense data and protocol arguments, allowing indirect writes to kernel memory. They exploit unchecked offsets that can redirect data writes beyond intended buffers.

Code Snippet:

This is the most dangerous vulnerability, CVE-2024-40431. It allows arbitrary writes to kernel memory by exploiting predictable SystemBuffer addresses. It combines stack leaks with rogue offsets for precise memory manipulation.

Code Snippet:

Due to its universal design, the Realtek SD card reader driver is widely used across multiple laptop models.

This broad applicability means vulnerabilities in its core components can have widespread effects. Affected devices include famous Dell and Lenovo models and others equipped with Realtek SD card readers.

Realtek has been working on fixes for these vulnerabilities, with updates being rolled out over an extended period.

Users are advised to update their drivers promptly and protect their systems against potential exploits.

These findings underscore the importance of regular security audits and updates for hardware drivers, especially those used across multiple platforms and devices.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.