Summary:
Several vulnerabilities have been identified in the Realtek SD card reader driver, RtsPer[.]sys, impacting a broad range of laptops from major brands. These vulnerabilities have existed for years, enabling non-privileged users to exploit the system by leaking kernel memory and accessing physical memory through Direct Memory Access (DMA) for reading and writing.

The vulnerabilities were initially discovered in January 2022 by Zwclose during an examination of the Windows Object Manager's \Device directory. The investigation revealed that a permissive Access Control List (ACL) on one of the device objects exposed flaws in the RtsPer[.]sys driver. Although Realtek issued a patch in April 2022, a critical DMA vulnerability persisted, with further analysis uncovering additional issues.

Security Officer Comments:
CVE-2024-40431: Arbitrary Kernel Memory Write - This is the most dangerous of the identified vulnerabilities, it allows arbitrary writes to kernel memory by exploiting predictable SystemBuffer addresses. It combines stack leaks with rogue offsets for precise memory manipulation.


CVE-2022-25480 & CVE-2024-40432: Writing Beyond SystemBuffer - CVE-2022-25480 and CVE-2024-40432 involve improper handling of sense data and protocol arguments, allowing indirect writes to kernel memory. They exploit unchecked offsets that can redirect data writes beyond intended buffers.


CVE-2022-25479: Leaking Kernel Pool and Stack - CVE-2022-25479 allows kernel memory leakage from the stack and heaps through improperly handled SCSI commands. Attackers can extract sensitive information from kernel memory by manipulating data buffer sizes.


CVE-2022-25478: Accessing PCI Config Space - RtsPer[.]sys allows access to the PCI configuration space using control codes that can be exploited to cause system instability. Writing random values to Base Address Registers (BARs), CVE-2022-25478, can trigger interrupt storms, rendering the operating system unusable.


CVE-2022-25477: Leaking Driver Logs - The driver logs extensively, CVE-2022-25477, which weakens Kernel Address Space Layout Randomization (KASLR) by exposing the addresses of kernel mode objects. Due to permissive ACLs on the device object, any user can access the log data. The fixed version encrypts these logs to prevent unauthorized access.


Suggested Corrections:
The Realtek SD card reader driver is widely adopted across various laptop models due to its versatile design. As a result, vulnerabilities within its core components can have extensive impacts. Affected devices include popular Dell and Lenovo models, as well as other laptops that utilize Realtek SD card readers.

Realtek has been addressing these vulnerabilities, releasing updates gradually over time.

Users are strongly encouraged to update their drivers promptly to safeguard their systems from potential exploits. This situation highlights the critical need for regular security audits and updates for hardware drivers, particularly those deployed across a wide range of platforms and devices.

Link(s):
https://gbhackers.com/vulnerabilities-in-realtek-sd-card-reader/