2. - Realtek

Realtek Semiconductor Corp.

No. 2, Innovation Road II, Hsinchu Science Park, Hsinchu 300, Taiwan Tel: +886-3-5780211; Fax: +886-3-5776047

Security Advisory Report

May 5, 2022

Realtek RtsPer/RtsUer Card Reader Driver Vulnerability (CVE-2022-25476/CVE-2022-25477/CVE-2022-25478/CVE-2022-25479/CVE-2022-25480)

Release Date

2022/05/05

k Affected Projects e Realtek RtsPer driver for PCIe Card Reader l t Realtek RtsUer driver for USB Card Reader a Affected Versions e RtsPer.sys version 10.0.22000.21354 and below R RtsUer.sys version 10.0.22000.31273 and below

CVE ID

Realtek

CVE-2022-25476 CVE-2022-25477

k CVE-2022-25478

CVE-2022-25479

e CVE-2022-25480 l t Description a The following security issues was found in IOCTL requests provided by RtsPer/RtsUer e driver: R 1. Input data from user mode is not properly validated and could lead to a system crash.

2. Exposing kernel stack or pool memory to non-administrator user.

3. Access to arbitrary PCI config from a non-administrator user.

4. Access to device specific IO space and config registers from a non-administrator user.

Page 1 of 2

Realtek Semiconductor Corp.

No. 2, Innovation Road II, Hsinchu Science Park, Hsinchu 300, Taiwan Tel: +886-3-5780211; Fax: +886-3-5776047

Vulnerability Type System Crash Gain Privileges Kernel Memory Leak

Attack Type Local

k Security Risk lt e High a Patch

RtsPer v10.0.22000.21355

Re RtsUer v10.0.22000.31274

Realtek

# # #

Realtek is a trademark of Realtek Semiconductor Corporation Other trademarks or registered trademarks

Real t ek mentioned in this release are the intellectual property of their respective owners.

Page 2 of 2

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download