Login Sign Up

CVE-2021-36922

7.8 HIGH

📋 TL;DR

This vulnerability in Realtek RtsUpx USB Utility Driver allows local low-privileged users to send crafted Device IO Control packets to gain unauthorized access to USB devices. This can lead to privilege escalation, denial of service, code execution, and information disclosure. Affected users are those running vulnerable versions of the Realtek driver on Windows systems.

💻 Affected Systems

Products:
  • Realtek RtsUpx USB Utility Driver for Camera/Hub/Audio
Versions: through 1.14.0.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with Realtek USB devices using the vulnerable driver. The driver may be bundled with various Realtek hardware products.

📦 What is this software?

Rtsupx Usb Utility Driver by Realtek

View all CVEs affecting Rtsupx Usb Utility Driver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via privilege escalation to SYSTEM, arbitrary code execution, and complete control over connected USB devices.

🟠

Likely Case

Local privilege escalation allowing attackers to gain SYSTEM privileges and potentially install malware or exfiltrate data via USB devices.

🟢

If Mitigated

Limited impact if proper endpoint security controls block suspicious driver interactions and user accounts have minimal privileges.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.
🏢 Internal Only: HIGH - Malicious insiders or compromised low-privilege accounts can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local low-privileged access. The vulnerability is in the driver's IOCTL handling, making exploitation relatively straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.14.0.0

Vendor Advisory: https://www.realtek.com/images/safe-report/Realtek_RtsUpx_Security_Advisory_Report.pdf

Restart Required: Yes

Instructions:

1. Download the latest Realtek RtsUpx driver from Realtek's official website. 2. Uninstall the current vulnerable driver version. 3. Install the updated driver. 4. Restart the system.

🔧 Temporary Workarounds

Restrict driver access

windows

Use Windows Device Manager to disable or restrict access to the Realtek RtsUpx driver for non-administrative users.

devmgmt.msc

Apply least privilege

windows

Ensure all user accounts operate with minimal necessary privileges to limit impact if exploited.

🧯 If You Can't Patch

  • Implement strict endpoint detection and response (EDR) rules to monitor for suspicious driver interactions.
  • Segment networks to limit lateral movement from compromised systems and restrict USB device usage policies.

🔍 How to Verify

Check if Vulnerable:

Check driver version in Device Manager under 'System devices' for Realtek RtsUpx entries, or run: pnputil /enum-drivers | findstr RtsUpx

Check Version:

pnputil /enum-drivers | findstr RtsUpx

Verify Fix Applied:

Verify driver version is greater than 1.14.0.0 in Device Manager properties or via pnputil command.

📡 Detection & Monitoring

Log Indicators:

  • Windows Event Logs showing unusual driver access (Event ID 6005, 6006)
  • Security logs with privilege escalation attempts

Network Indicators:

  • Unusual outbound connections from systems with Realtek USB devices

SIEM Query:

EventID=4688 AND (NewProcessName="*RtsUpx*" OR CommandLine="*RtsUpx*")

📊 Metadata

CVE ID: CVE-2021-36922
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: November 2, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON