How large is the potential for damage?
I bought this router some time ago for a private project. However, before I put it into operation, I took a closer look at it. After a short time, I had already identified a so-called command-injection vulnerability on the router, which allows an attacker to execute arbitrary commands on the router. After a short research, it turned out that this problem was probably known in a similar form and is listed under CVE-2019-15060.
However, it does not appear to have been properly addressed. Now my interest was awakened – I looked for more vulnerabilities and asked myself to what extent attackers from the Internet could exploit this and its severity. Here, I immediately remembered the Mira botnet, which went through the media at the end of 2016 and largely consisted of hijacked IoT devices (IoT = Internet of Things), such as WLAN routers. So my question was: Can the router become part of a botnet via the security hole found?
Various security vulnerabilities
If I look at the command-injection vulnerability alone, attackers from the Internet cannot exploit it “just like that”. For example, the password set by the user is required and there must be access to the router’s configuration page. For a WLAN router that is located in the local network, these requirements are not necessarily easy to meet. At first glance, the question of potential damage seems to be answered quickly. However, the heart of a penetration tester beats in my chest – and so I could not resist the urge to do to some research.
In the end, I had identified several vulnerabilities that, in combination, would allow me to take over the router completely from the Internet. The only requirement is that the owner of the WLAN router visits the website of an attacker while theowner is in the same network as the WLAN router. This is a quite realistic assumption for such a device.
Overall, after further analysis, I identified the following vulnerabilities:
- Command injection vulnerability
- Unauthorized access to the configuration backup
- DNS rebinding vulnerability
- Stored Cross Site Scripting
- Weak standard password for the WLAN
I communicated these weaknesses to the manufacturer at the beginning of this year and received a quick response. Then came Corona crisis.
90-day deadline significantly extended
Usually we allow the vendor to fix a vulnerability found in a 90 days’ period and to provide a patch. In exceptional cases, we will of course allow more time. Due to the Corona crisis, which has affected all of us in our daily lives, we have waived this 90-day period and extended it significantly – until today.
Today, we would like to point out alongside this blog entry, that there are various critical vulnerabilities in the TP-WR840n router. The vulnerabilities allow a remote attacker to gain complete control over the WLAN router.
deadline significantly extended
Owners are advised to update the firmware as soon as possible to ensure that nobody hijacks the WLAN router and uses it for criminal purposes. Please refer to the TP-Link website. We also recommend changing the default WLAN password for the router, as an attacker close-by the WLAN can reconstruct this easily. Unfortunately, a weak password printed on the device and preset by default cannot be fixed by a firmware update. The change is therefore the responsibility of the user. It is important to note that the weak preset password also affects other TP-Link routers, including the AC1750 from TP-Link.
Patch now available
Finally, I would like to examine critically whether it is right to wait more than 90 days for the release, after all the security holes exist regardless of Corona. Yet there is a higher risk with this publication that others will combine the vulnerabilities found and exploit them for criminal purposes. From my point of view, the question of the right time is a tightrope walk. There will be voices saying that it is irresponsible to wait so long while others say just the opposite. Therefore, there is not the right answer to the question of when a security vulnerability should be released. As TP-Link made a patch available for the critical vulnerabilities, it is now definitely the time to release the information. Please note that the DNS rebinding vulnerability is not addressed with the patch.
In any case, I would also like to thank the German Federal Office for Information Security who supported me in the background.
Dr. Benedikt Westermann
Publishing - Lead Security Analyst