Hacking

TP-Link fixes 2 Remote Code Execution flaws in TL-R600VPN SOHO Router and other issues

TP-Link has addressed several vulnerabilities, including a remote code execution flaw, in its TL-R600VPN small and home office (SOHO) router.

TP-Link as fixed four security vulnerabilities in the TL-R600VPN small and home office (SOHO) router that were reported by experts at Cisco Talos.

The vulnerabilities are two remote code execution (RCE) flaws(CVE-2018-3950, CVE-2018-3951), a denial-of-service issue (CVE-2018-3948), and a server information disclosure bug (CVE-2018-394).

The DOS and server information disclosure vulnerabilities are caused by the lack of input sanitization and parsing errors.

The lack of proper input sanitization can be exploited without authentication to trigger DoS conditions and leak server information.

Both remote code execution flaws can only by a malicious logged-in user, or by a malicious code that got the necessary credential.

Talos experts explained that parsing errors require an authenticated session for exploitation, a circumstance that can lead to remote code execution under the context of HTTPD. The HTTPD process runs as root, this means that the code would be executed with elevated privileges.

The CVE-2018-3948 DoS flaw affects the URI-parsing function of the TL-R600VPN HTTP server.

“An exploitable denial-of-service vulnerability exists in the URI-parsing function of the TP-Link TL-R600VPN HTTP server.” reads the advisory published Cisco reports

“If a directory traversal is attempted on any of the vulnerable pages (help, images, frames, dynaform, localization) and the requested page is a directory instead of a file, the web server will enter an infinite loop, making the management portal unavailable. This request doesn’t need to be authenticated,” 

The embedded HTTP server can expose sensitive system files due to a directory traversal flaw (CVE-2018-3949) that can be exploited by both authenticated and unauthenticated attackers.  An unauthenticated or an authenticated attacker can trigger the flaw by using a specially crafted URL.

One of the two RCE issues, tracked as CVE-2018-3950, resided in the ping and traceroute functions of the TL-R600VPN HTTP server. The devices fils to check the size of the data passed to its ‘ping_addr’ field when performing a ping operation.

“An exploitable remote code execution vulnerability exists in the ping and traceroute functions of the TP-Link TL-R600VPN HTTP server. The router does not check the size of the data passed to its ‘ping_addr’ field when performing a ping operation.” states Cisco Talos.

“By sending a large amount of data to this field, an attacker could cause a stack-based buffer overflow, leading to remote code execution or a simple crash of the device’s HTTP server. An attacker would need to be in an authenticated session to trigger this vulnerability.”

The last issue is a remote code execution flaw tracked as CVE-2018-3951 that resides in the HTTP header-parsing function of the TL-R600VPN HTTP server.

An authenticated attacker can trigger a buffer overflow vulnerability by sending a specially crafted HTTP request, this leads a remote code execution.

“During this process, the server calculates the length of the user-controlled HTTP header buffer and adds the value to the input buffer offset. This creates an overflow condition when the router processes a longer-than-expected GET request,” states the advisory.

TP-Link has released firmware updates that address the flaws, owners of the TL-R600VPN routers urge to update their devices as soon as possible.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – TL-R600VPN, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

21 mins ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

14 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

21 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.