CVE-2022-25477 – This vulnerability in Realtek card reader drive... (How to Fix)

Q: What is the severity of CVE-2022-25477?

CVE-2022-25477 has a CVSS score of 5.5 (MEDIUM). This vulnerability in Realtek card reader drivers leaks kernel memory addresses in driver logs, weakening Kernel Address Space Layout Randomization (KASLR). Attackers can use this information to bypass security mitigations and potentially execute more sophisticated attacks. Systems using vulnerable Realtek PCIe or USB card reader drivers are affected.

📋 TL;DR

This vulnerability in Realtek card reader drivers leaks kernel memory addresses in driver logs, weakening Kernel Address Space Layout Randomization (KASLR). Attackers can use this information to bypass security mitigations and potentially execute more sophisticated attacks. Systems using vulnerable Realtek PCIe or USB card reader drivers are affected.

💻 Affected Systems

Products:

Realtek RtsPer driver for PCIe Card Reader
Realtek RtsUer driver for USB Card Reader

Versions: RtsPer.sys before 10.0.22000.21355, RtsUer.sys before 10.0.22000.31274

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with Realtek card readers using vulnerable driver versions. The vulnerability is in the driver itself, not dependent on specific card reader models.

📦 What is this software?

Rtsper by Realtek

View all CVEs affecting Rtsper →

Rtsuer by Realtek

View all CVEs affecting Rtsuer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers combine this information leak with other vulnerabilities to bypass KASLR and execute kernel-level code, potentially gaining full system control.

🟠

Likely Case

Information disclosure that aids attackers in developing more reliable exploits against the system by bypassing KASLR protections.

🟢

If Mitigated

Limited information disclosure with minimal impact if proper security controls prevent attackers from accessing driver logs.

🌐 Internet-Facing: LOW - This vulnerability requires local access or ability to read driver logs, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Malicious insiders or compromised accounts could leverage this to weaken system security for further attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Proof of concept demonstrates information leakage. Exploitation requires ability to read driver logs and additional vulnerabilities for full system compromise.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RtsPer.sys 10.0.22000.21355+, RtsUer.sys 10.0.22000.31274+

Vendor Advisory: https://www.realtek.com/images/safe-report/Realtek_RtsPer_RtsUer_Security_Advisory_Report.pdf

Restart Required: Yes

Instructions:

1. Download updated drivers from Realtek website or Windows Update. 2. Install updated drivers. 3. Restart system to load patched drivers.

🔧 Temporary Workarounds

Restrict driver log access

windows

Limit access to driver log files to prevent unauthorized reading of leaked addresses

icacls C:\Windows\System32\LogFiles\* /deny Users:(R)

Disable vulnerable card readers

windows

Temporarily disable Realtek card readers in Device Manager if not needed

🧯 If You Can't Patch

Implement strict access controls to prevent unauthorized users from reading system logs
Monitor for suspicious attempts to access driver logs or kernel memory

🔍 How to Verify

Check if Vulnerable:

Check driver versions in Device Manager under 'System devices' for Realtek PCIe/USB Card Reader, or run: driverquery | findstr RtsPer RtsUer

Check Version:

driverquery /v | findstr /i "RtsPer RtsUer"

Verify Fix Applied:

Verify driver versions show 10.0.22000.21355+ for RtsPer.sys or 10.0.22000.31274+ for RtsUer.sys

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to driver log files
Attempts to read kernel memory addresses from logs

Network Indicators:

No direct network indicators - local vulnerability

SIEM Query:

EventID=4663 AND ObjectName="*\LogFiles\*" AND AccessMask="0x1" | where SubjectUserName not in ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")

📊 Metadata

CVE ID: CVE-2022-25477

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-532

Published: July 2, 2024

Last Updated: November 21, 2024

🔗 References

http://realtek.com Broken Link
https://gist.github.com/zwclose/feb16f1424779a61cb1d9f6d5681408a Third Party Advisory
https://www.realtek.com/images/safe-report/Realtek_RtsPer_RtsUer_Security_Advisory_Report.pdf Vendor Advisory
https://zwclose.github.io/2024/10/14/rtsper1.html
http://realtek.com Broken Link
https://gist.github.com/zwclose/feb16f1424779a61cb1d9f6d5681408a Third Party Advisory
https://www.realtek.com/images/safe-report/Realtek_RtsPer_RtsUer_Security_Advisory_Report.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25477, you might also want to check these: