CVE-2021-35392 Overview
CVE-2021-35392 is a heap buffer overflow vulnerability affecting the Realtek Jungle SDK versions v2.x through v3.4.14B. The vulnerability exists within the 'WiFi Simple Config' server component, which implements both UPnP (Universal Plug and Play) and SSDP (Simple Service Discovery Protocol) protocols. This binary is typically named wscd or mini_upnpd and serves as the successor to miniigd.
The vulnerability stems from unsafe handling of SSDP NOTIFY messages that are crafted from received M-SEARCH message ST (Search Target) headers. An attacker can exploit this heap buffer overflow remotely over the network without requiring authentication or user interaction, potentially causing denial of service conditions on affected IoT devices.
Critical Impact
This vulnerability affects a widely-deployed SDK used in numerous IoT devices, routers, and access points, representing a significant supply chain security risk across multiple vendors and product lines.
Affected Products
- Realtek RTL819x Jungle Software Development Kit v2.x through v3.4.14B
- IoT devices, routers, and access points built using the vulnerable Realtek SDK
- Devices running wscd or mini_upnpd binaries with UPnP/SSDP services enabled
Discovery Timeline
- August 16, 2021 - CVE-2021-35392 published to NVD
- August 13, 2025 - Last updated in NVD database
Technical Details for CVE-2021-35392
Vulnerability Analysis
This heap buffer overflow vulnerability (CWE-787: Out-of-Bounds Write) occurs in the WiFi Simple Config server's SSDP message handling routine. When the server receives an M-SEARCH discovery request, it processes the ST (Search Target) header value to craft a corresponding SSDP NOTIFY response message. The vulnerable code fails to properly validate the length of the ST header content before copying it into a fixed-size heap buffer, allowing an attacker to overflow the buffer boundaries.
The vulnerability is particularly concerning in IoT environments because the SSDP protocol operates over UDP on port 1900 and is designed to be openly accessible on local networks for device discovery purposes. Many affected devices have this service enabled by default with no authentication requirements.
Root Cause
The root cause of CVE-2021-35392 is improper bounds checking during the construction of SSDP NOTIFY messages. When an M-SEARCH request is received, the server extracts the ST header value and uses it to build a response without validating that the input data fits within the allocated heap buffer. This lack of input validation allows an attacker to supply an oversized ST header value that exceeds the expected buffer size, resulting in a heap buffer overflow condition.
The vulnerable code path exists in the wscd or mini_upnpd binaries that implement the WiFi Simple Config functionality. The unsafe memory operation occurs when copying the attacker-controlled ST header data into a heap-allocated buffer used for crafting the SSDP NOTIFY response.
Attack Vector
The attack vector for CVE-2021-35392 is network-based and requires no authentication or user interaction. An attacker on the same network segment as a vulnerable device can exploit this vulnerability by:
- Sending a specially crafted SSDP M-SEARCH request to the target device on UDP port 1900
- Including an oversized or malicious ST header value in the request
- The vulnerable server processes the request and attempts to construct a NOTIFY response
- The heap buffer overflow occurs during message construction, corrupting adjacent heap memory
The attack can be executed remotely from any device capable of sending UDP packets to the target's SSDP service. In typical network configurations, this includes any device on the local network. If UPnP services are inadvertently exposed to the internet, remote exploitation becomes possible.
Detection Methods for CVE-2021-35392
Indicators of Compromise
- Unexpected crashes or restarts of the wscd or mini_upnpd processes on affected devices
- Unusual SSDP traffic patterns, particularly M-SEARCH requests with abnormally large ST headers
- Memory corruption errors in device logs related to UPnP or SSDP services
- Devices becoming unresponsive after processing network discovery requests
Detection Strategies
- Monitor network traffic for SSDP M-SEARCH requests with unusually large ST header values (exceeding typical service type string lengths)
- Deploy network intrusion detection rules to identify malformed UPnP/SSDP packets targeting port 1900/UDP
- Implement endpoint monitoring for crashes or unexpected restarts of WiFi Simple Config server processes
- Conduct firmware version audits to identify devices running vulnerable Realtek SDK versions (v2.x to v3.4.14B)
Monitoring Recommendations
- Enable logging on network perimeter devices to capture SSDP traffic anomalies
- Implement network segmentation to isolate IoT devices from critical infrastructure
- Deploy SentinelOne Singularity for endpoint visibility and behavioral detection on supported network appliances
- Regularly scan the network for devices with exposed UPnP services using vulnerability assessment tools
How to Mitigate CVE-2021-35392
Immediate Actions Required
- Identify all devices in your environment using Realtek Jungle SDK versions v2.x through v3.4.14B
- Disable UPnP and SSDP services on affected devices if not required for business operations
- Apply firmware updates from device manufacturers that include the patched Realtek SDK
- Implement network access controls to restrict SSDP traffic (UDP port 1900) to trusted segments only
Patch Information
Realtek has released security advisories and updated SDK versions addressing this vulnerability. Device manufacturers using the affected Realtek SDK should obtain the patched SDK from Realtek and release firmware updates for their products. End users should check with their device vendors for firmware updates that address CVE-2021-35392.
For detailed patch information, refer to the Realtek SDK Advisory for CVE-2021-35392.
Additional technical details are available in the IoT Inspector Advisory.
Workarounds
- Disable UPnP/SSDP services on affected devices through the administrative interface if firmware updates are not yet available
- Block UDP port 1900 at network boundaries to prevent external exploitation attempts
- Implement network segmentation to isolate vulnerable IoT devices from sensitive network segments
- Consider replacing end-of-life devices that will not receive security updates
# Example iptables rule to block external SSDP traffic
iptables -A INPUT -p udp --dport 1900 -j DROP
iptables -A INPUT -p udp --sport 1900 -j DROP
# Block SSDP traffic at router/firewall level
# Consult your specific device documentation for configuration commands
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
