IT security vulnerabilities can affect us all. In my last blog entry I already described how such vulnerabilities are found by the manufacturer himself or by service providers. In principle, however, any user can find a security hole in a product. This is what happened to me with the router TP-Link WR-840N v6.20.

How large is the potential for damage?

I bought this router some time ago for a private project. However, before I put it into operation, I took a closer look at it. After a short time, I had already identified a so-called command-injection vulnerability on the router, which allows an attacker to execute arbitrary commands on the router. After a short research, it turned out that this problem was probably known in a similar form and is listed under CVE-2019-15060.

Remember:

CVE stands for Common Vulnerabilities and Exposures and is an industry standard for naming publicly known vulnerabilities.

However, it does not appear to have been properly addressed. Now my interest was awakened – I looked for more vulnerabilities and asked myself to what extent attackers from the Internet could exploit this and its severity. Here, I immediately remembered the Mira botnet, which went through the media at the end of 2016 and largely consisted of hijacked IoT devices (IoT = Internet of Things), such as WLAN routers. So my question was: Can the router become part of a botnet via the security hole found?

Various security vulnerabilities

If I look at the command-injection vulnerability alone, attackers from the Internet cannot exploit it “just like that”. For example, the password set by the user is required and there must be access to the router’s configuration page. For a WLAN router that is located in the local network, these requirements are not necessarily easy to meet. At first glance, the question of potential damage seems to be answered quickly. However, the heart of a penetration tester beats in my chest – and so I could not resist the urge to do to some research.

In the end, I had identified several vulnerabilities that, in combination, would allow me to take over the router completely from the Internet. The only requirement is that the owner of the WLAN router visits the website of an attacker while theowner is in the same network as the WLAN router. This is a quite realistic assumption for such a device.

Overall, after further analysis, I identified the following vulnerabilities:

  • Command injection vulnerability
  • Unauthorized access to the configuration backup
  • DNS rebinding vulnerability
  • Stored Cross Site Scripting
  • Weak standard password for the WLAN

I communicated these weaknesses to the manufacturer at the beginning of this year and received a quick response. Then came Corona crisis.

90-day deadline significantly extended

Usually we allow the vendor to fix a vulnerability found in a 90 days’ period and to provide a patch. In exceptional cases, we will of course allow more time. Due to the Corona crisis, which has affected all of us in our daily lives, we have waived this 90-day period and extended it significantly – until today.

Today, we would like to point out alongside this blog entry, that there are various critical vulnerabilities in the TP-WR840n router. The vulnerabilities allow a remote attacker to gain complete control over the WLAN router.

deadline significantly extended

Owners are advised to update the firmware as soon as possible to ensure that nobody hijacks the WLAN router and uses it for criminal purposes. Please refer to the TP-Link website. We also recommend changing the default WLAN password for the router, as an attacker close-by the WLAN can reconstruct this easily. Unfortunately, a weak password printed on the device and preset by default cannot be fixed by a firmware update. The change is therefore the responsibility of the user. It is important to note that the weak preset password also affects other TP-Link routers, including the AC1750 from TP-Link.

Patch now available

Finally, I would like to examine critically whether it is right to wait more than 90 days for the release, after all the security holes exist regardless of Corona. Yet there is a higher risk with this publication that others will combine the vulnerabilities found and exploit them for criminal purposes. From my point of view, the question of the right time is a tightrope walk. There will be voices saying that it is irresponsible to wait so long while others say just the opposite. Therefore, there is not the right answer to the question of when a security vulnerability should be released. As TP-Link made a patch available for the critical vulnerabilities, it is now definitely the time to release the information. Please note that the DNS rebinding vulnerability is not addressed with the patch.
In any case, I would also like to thank the German Federal Office for Information Security who supported me in the background.

Author
Dr. Benedikt Westermann

Dr. Benedikt Westermann

Publishing - Lead Security Analyst

The topic of Cybersecurity with its various facets has fascinated Dr. Benedikt Westermann since his studies of computer science. At TÜV Rheinland, he and his team regularly slip into the role of a hacker on behalf of customers in order to find security gaps in software, products and systems before a real attacker can exploit them, for example to get hold of customer and company data. Besides Cybersecurity, his hobbies include cooking and cycling.
More Posts
electric mobility

Electric mobility: charging infrastructure getting more extensive

The new decade is all about climate protection – and one of the major challenges we face is climate-friendly (electric) mobility. The new EU emissions target, which comes into force in 2021.
Titles

Cool title – no applicants? Sorting the good ads from the bad

Skills shortages, the talent war and demographic change – all excellent choices for a round of buzzword bingo as played by HR specialists. The job market’s not getting any easier for employers.

Digital trends in 2020: ideas for making businesses more secure

How secure are the smart systems in our homes? How can we ensure that tomorrow’s digital solutions in the logistics, automotive and healthcare industries are secure from cyber attacks?
Comments

0 Comments