Grouping an authentication flaw with a newly discovered CSRF vulnerability allows that remote unauthenticated criminals can obtain full control over TP-Link TL-WR841N, a popular wireless consumer router used worldwide.
“This type of remote attack can also compromise routers behind a network address translator (NAT) and those not exposed to the public wide area network (WAN) as the vulnerability is remotely reflected off a locally connected host, rather than coming directly over WAN,” says Tenable researcher David Wells.
Notwithstanding, this flaws need to be patched by TP-Link, since they have not yet been fixed.
The vulnerabilities were identified as a follows:
- CVE-2018-11714 – a local improper authentication flaw that would allow unauthenticated attackers to trigger a set of sensitive CGI routines in the router’s admin webpage by spoofing the HTTP Referrer request from tplinkwifi.net, tplinklogin.net or the router’s IP address.
- CVE-2018-15702 – a cross-site request forgery flaw in the HTTP referrer whitelist check function in the router’s httpd service.
- CVE-2018-15700 and CVE-2018-15701 – Two local/unauthenticated denial of service (DoS) vulnerabilities, which can cause the httpd service to crash by sending a malformed HTTP request.
The flaw identified as CVE-2018-11714 was discovered and reported by another researcher. In another hand, the CVE-2018-15702 is what makes a remote attack possible.
The problem rests
The problem is related to the function that checks if a provided HTTP referrer matches the ones that have been whitelisted (tplinkwifi.net, tplinklogin.net, router’s IP): it only checks the first 14 or 15 characters.
“Because of this, it turns out that an attacker could simply host an iframe with subdomain of tplinkwifi.net.*, such as: http://tplinkwifi.net.drive-by-attack[.]com, and can force any TP-Link connected user into performing a CSRF to bypass authentication and the referer whitelisting logic to successfully invoke the router’s sensitive CGI routines,” Wells explained.
“Through these routines, an attacker can obtain full control over the router, such as uploading a new configuration file via CSRF which will change the admin’s username/password as well as enable the router’s remote administration interface to allow full remote control of the device across the internet.”
What can consumers need to do? Tenable advises them to contact the vendor directly for further information in order to force the company to provide some solutions to fix the flaws.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.