Researchers from Cisco Talos unveiled four vulnerabilities inherent in SOHO-routers TL-R600VPN production TP-Link. Updated firmware is already available, users are encouraged to install them as soon as possible.
According to the experts, there are only two reasons for the problems: incorrect reorganization of the input data and errors in the parser code. A pair of vulnerabilities allows remote execution of arbitrary code in the context of the HTTPD process. Since the HTTP daemon is run as root , the malicious code will be executed with elevated privileges.
Three vulnerabilities affect TL-R600VPN version 3 with firmware in build 1.3.0 and version 2 with firmware build 1.2.3. The fourth flaw is present only in TL-R600VPN version 3 with firmware 1.3.0.
The Denial of Service bug CVE-2018-3948, estimated at 7.5 points on the CVSS scale, is associated with the URI parsing feature on the device’s HTTP server. Operation is performed using a malicious HTTP GET request that can be submitted without authentication . “If you try to go beyond the resource directory on the vulnerable page (help, images, frames, dynamic form, localization) and the requested page is a directory, not a file, the web server will enter an infinite loop and the management portal will be unavailable” explain the researchers.
Vulnerability CVE-2018-3949 in the HTTP-server, threatening to disclose information, also received 7.5 points. According to Cisco Talos, its presence allows you to access the root directory and view any files in the system. The exploit in this case does not require authentication.
The RCE-bug CVE-2018-3950 is associated with the ping (Internet accessibility check) and traceroute (path trace) functions of the HTTP server. As it turned out, TL-R600VPN does not check the size of the data transmitted in the ping_addr field when performing a ping operation. “By sending a large amount of data to this field, an attacker could cause a buffer overflow in the stack, which will lead to remote code execution or a device’s HTTP server failure,” said Cisco Talos report. To use the gap, an attacker must authenticate, so the severity of CVE-2018-3950 is slightly lower – 7.2 points.
The vulnerability CVE-2018-3951 related to HTTP header parsing received the same rating. Her exploit also requires authentication and is done by submitting a special request; if successful, the remote author of the attack will be able to execute malicious code through a buffer overflow.