TP-Link fixes 2 Remote Code Execution flaws in TL-R600VPN SOHO Router and other issues

Pierluigi Paganini November 20, 2018

TP-Link has addressed several vulnerabilities, including a remote code execution flaw, in its TL-R600VPN small and home office (SOHO) router.

TP-Link as fixed four security vulnerabilities in the TL-R600VPN small and home office (SOHO) router that were reported by experts at Cisco Talos.

The vulnerabilities are two remote code execution (RCE) flaws(CVE-2018-3950, CVE-2018-3951), a denial-of-service issue (CVE-2018-3948), and a server information disclosure bug (CVE-2018-394).

The DOS and server information disclosure vulnerabilities are caused by the lack of input sanitization and parsing errors.

The lack of proper input sanitization can be exploited without authentication to trigger DoS conditions and leak server information.

Both remote code execution flaws can only by a malicious logged-in user, or by a malicious code that got the necessary credential.

Talos experts explained that parsing errors require an authenticated session for exploitation, a circumstance that can lead to remote code execution under the context of HTTPD. The HTTPD process runs as root, this means that the code would be executed with elevated privileges.

The CVE-2018-3948 DoS flaw affects the URI-parsing function of the TL-R600VPN HTTP server.

“An exploitable denial-of-service vulnerability exists in the URI-parsing function of the TP-Link TL-R600VPN HTTP server.” reads the advisory published Cisco reports

“If a directory traversal is attempted on any of the vulnerable pages (help, images, frames, dynaform, localization) and the requested page is a directory instead of a file, the web server will enter an infinite loop, making the management portal unavailable. This request doesn’t need to be authenticated,” 

The embedded HTTP server can expose sensitive system files due to a directory traversal flaw (CVE-2018-3949) that can be exploited by both authenticated and unauthenticated attackers.  An unauthenticated or an authenticated attacker can trigger the flaw by using a specially crafted URL.

One of the two RCE issues, tracked as CVE-2018-3950, resided in the ping and traceroute functions of the TL-R600VPN HTTP server. The devices fils to check the size of the data passed to its ‘ping_addr’ field when performing a ping operation.

“An exploitable remote code execution vulnerability exists in the ping and traceroute functions of the TP-Link TL-R600VPN HTTP server. The router does not check the size of the data passed to its ‘ping_addr’ field when performing a ping operation.” states Cisco Talos.

“By sending a large amount of data to this field, an attacker could cause a stack-based buffer overflow, leading to remote code execution or a simple crash of the device’s HTTP server. An attacker would need to be in an authenticated session to trigger this vulnerability.”


The last issue is a remote code execution flaw tracked as CVE-2018-3951 that resides in the HTTP header-parsing function of the TL-R600VPN HTTP server.

An authenticated attacker can trigger a buffer overflow vulnerability by sending a specially crafted HTTP request, this leads a remote code execution.

“During this process, the server calculates the length of the user-controlled HTTP header buffer and adds the value to the input buffer offset. This creates an overflow condition when the router processes a longer-than-expected GET request,” states the advisory.

TP-Link has released firmware updates that address the flaws, owners of the TL-R600VPN routers urge to update their devices as soon as possible.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – TL-R600VPN, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment