TP-Link patched a critical vulnerability impacting some of its Archer routers that could allow potential attackers to void their admin passwords and remotely take control of the devices over LAN via a Telnet connection.

"If exploited, this router vulnerability can allow a remote attacker to take control of the router’s configuration via Telnet on the local area network (LAN) and connect to a File Transfer Protocol (FTP) server through the LAN or wide area network (WAN)," found IBM X-Force Red's Grzegorz Wypych.

To exploit this security flaw, attackers have to send an HTTP request containing a character string longer than the allowed number of bytes, with the result being that the user password is completely voided and replaced with an empty value.

This works despite built-in validation because it only checks the referrer’s HTTP headers, allowing the attacker to trick the router’s httpd service to recognize the request as valid by using the hardcoded tplinkwifi.net value.

tplinkwifi.net referrer header used for validation
tplinkwifi.net referrer header used for validation (IBM X-Force Red)

Full router takeover

Since the only type of users on these routers is admin with full root permissions, once the threat actors bypass the authentication process, they would automatically get admin privileges on the router.

From here on, "all processes are run by the user under this access level, which can allow an attacker to operate as admin and take over the device."

"Not only can attackers attain privileged access, but the legitimate user can also be locked out and would no longer be able to log in to the web service through the user interface since that page would no longer accept any passwords (unbeknownst to the user)," Wypych adds.

"In such an event, the victim could lose access to the console and even a shell, and thereby would not be able to re-establish a new password."

Logging in with a void admin password
Logging in with a void admin password (IBM X-Force Red)

To make things even worse, even if the router owner would set a new password on the device, attackers could again void it with another LAN/WAN/CGI request leaving the USB connections to the built-in FTP server as the only way to access it.

Furthermore, RSA encryption keys would automatically fail too since they won't work with empty passwords.

"This flaw is considered critical since it can grant an unauthorized third-party access to the router with admin privileges, which are the default on this device for all users, without proper authentication taking place," Wypych explains.

"The risk is greater on business networks where routers such as this can be used to enable guest Wi-Fi. If placed on the enterprise network, a compromised router can become a point of entry to an attacker, and a place to pivot from in recon and lateral movement tactics."

Security patches available

TP-Link has already released patches to help customers protect their routers against attacks that would abuse the security vulnerability currently tracked as CVE-2019-7405.

You can download the security patches for the Archer C5 V4, Archer MR200v4, Archer MR6400v4, and Archer MR400v3 routers from the table embedded below.

Vulnerable TP-Link router Security patch
Archer C5 V4 https://static.tp-link.com/2019/201909/20190917/Archer_C5v4190815.rar
Archer MR200v4 https://static.tp-link.com/2019/201909/20190903/Archer%20MR200(EU)_V4_20190730.zip
Archer MR6400v4 https://static.tp-link.com/2019/201908/20190826/Archer%20MR6400(EU)_V4_20190730.zip
Archer MR400v3 https://static.tp-link.com/2019/201908/20190826/Archer%20MR400(EU)_V3_20190730.zip

Related Articles:

DrayTek fixed critical flaws in over 700,000 exposed routers

Palo Alto Networks warns of potential PAN-OS RCE vulnerability

HPE warns of critical RCE flaws in Aruba Networking access points

Germany drafts law to protect researchers who find security flaws

Sophos reveals 5-year battle with Chinese hackers attacking network devices