A firmware vulnerability in TP-Link Archer C5 v4 routers (used in enterprise and home environments) could allow unauthorized, remote access to the device with administrative privileges.
The bug (CVE-2017-7405) affects models that run firmware version 3.16.0 0.9.1 v600c.0 Build 180124 Rel.28919n. First discovered by IBM X-Force Red’s Grzegorz Wypych, it could allow a remote attacker to spread laterally though a network, by first taking control of the router’s configuration via Telnet on the LAN and then connecting to a file transfer protocol (FTP) server elsewhere on the LAN.
“If placed on the enterprise network, a compromised router can become a point of entry to an attacker, and a place to pivot from in recon and lateral movement tactic,” he wrote in a blog posting on the flaw this week. “The risk is greater on business networks where routers such as this can be used to enable guest Wi-Fi.”
He added, “the bottom line is that the victim’s device, FTP (if configured to be used on WAN) and Telnet (LAN only) can become completely exposed to an attacker.”
The flaw can be exploited by sending through specially crafted HTTP CGI requests to the router containing a password request that is either shorter or longer than the expected string. In the first case, the password value is distorted into non-ASCII bytes, which corrupts the password file and causes a denial-of-service issue; in the latter instance, it voids the device’s password requirement altogether and replaces the string with an empty value.
“[With] the short string…the result is that the user would not be able to log in, and nor would the attacker. This issue affects Telnet, FTP and the web service,” explained the researcher. “[With the long string], the password was voided altogether, and the value was now empty. From this point on, we were able to access Telnet and FTP without any password, using only ‘admin’ as the username, which is the only available user on the device by default.”
This TP-Link device only features one user type — admin with root privileges — and all processes are run by the user under this access level, he noted.
After attaining administrative access, Wypych discovered that it is also possible to remotely manage the router over a secure HTTPS connection, which “is also vulnerable to this CGI attack,” Wypych said.
Takeover and attaining privileged access to the network is one outcome of an exploit, but a legitimate user would also be locked out.
“[The user] would no longer be able to log in to the web service through the user interface since that page would no longer accept any passwords,” the researcher noted. “In such an event, the victim could lose access to the console and even a shell, and thereby would not be able to re-establish a new password. Even if there was a way to set a new password, the next vulnerable LAN/WAN/CGI request would, once again, void the password. The only access would, therefore, be FTP files via a USB port connection.”
The TP-Link bug is only the latest example of endemic issues in internet of things (IoT) security.
“Nowadays, almost every home uses a router, but five out of six routers are inadequately updated for security flaws, according to a study from the American Consumer Institute,” Wypych noted. “When these flaws surface, they expose millions of home and business users to the risk of data compromise. And it’s not only textual information that can be lost — think about footage from webcams, baby monitors and other connected devices in the home that use that same router to connect to the internet.”
In this case, patches have been issued by TP-Link to address the bug in version TP-Link Archer C5 v4 and other versions (Archer MR200v4, Archer MR6400v4 and Archer MR400v3) that may be at risk.
“With any internet-facing devices, it is important for organizations to be aware of patches and updates available for their systems,” said James McQuiggan, security awareness advocate at KnowBe4, via email. “Attackers are always searching for vulnerable internet-facing devices and with any known vulnerability, it will be added to their exploit arsenal to use against organizations. Organizations need to implement the patch as soon as possible using their security program’s change management procedures. If organizations fail to implement these patches, they increase their risk of attack and possible data breach of their network and systems.”
Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.