According to reports, a serious flaw in MediaTek chipsets may make it simple for hackers to launch remote code execution (RCE) attacks. A cybersecurity company claims that this vulnerability exists in certain semiconductors, primarily affecting routers and cellphones. Although the vulnerability was first discovered in March, a proof-of-concept that demonstrated how to exploit it was just released on GitHub. With a CVSS 3.0 score of 9.8, the company has classified it as a significant zero-click vulnerability.
Chipsets Made by MediaTek Allegedly Have a Serious Vulnerability
The SonicWall Capture Labs threat research team has described the new vulnerability in detail in a blog post. CVE-2024-20017 is the bug's designation, and it is categorized as a significant zero-click vulnerability. In other words, this kind of security hole enables remote system exploits by attackers, requiring no involvement or activity from the target. This implies that the user is not required to adhere to any templates that are typically employed in phishing attacks.
The vulnerability received a score of 9.8 from the researchers, indicating that it is critical. The RTxxxx series SoftAP driver bundles and two MediaTek Wi-Fi chipsets, MT7622 and MT7915, were found to be specifically affected by the problem. Typically, companies like Xiaomi, Ubiquiti, and Netgear employ these chipsets in their routers and smartphones. The vulnerability, according to the cybersecurity firm, affects OpenWrt versions 19.07 and 21.02 as well as MediaTek SDK versions 7.4.0.1 and earlier.
.jpg)
When it comes to the exploitation side of things, this vulnerability allows for remote code execution. According to the researchers, without requiring the user to take any action, attackers can obtain sensitive data from the device by using a "table overwrite technique via a return-oriented programming (ROP) chain."
The fact that a proof-of-concept of the vulnerability has been presented on GitHub, indicating that it is feasible to launch an attack using CVE-2024-20017, is one of the reasons the vulnerability is being publicized now rather than in March when it was first found.
Notably, MediaTek issued fixes to address the security vulnerability when the researchers contacted the chip manufacturer. Additionally, users are asked to upgrade the firmware as soon as feasible.
About MediaTek
MediaTek Inc., also known as MTK informally, is a Taiwanese fabless semiconductor company that designs and produces a variety of semiconductor products. Its products include chips for digital subscriber line services, wireless communications, high-definition television, handheld mobile devices like smartphones and tablet computers, navigation systems, consumer multimedia products, and optical disc drives.
Established in 1997, with its headquarters located in Hsinchu, the firm boasts 41 offices across the globe and held the third position as the world's largest fabless chip designer in 2016. Additionally, the business offers reference designs to its clients. In Q3 2020, MediaTek emerged as the leading supplier of smartphone chipsets, holding a 31% market share. Its excellent success in places like China and India helped with this.