A firmware vulnerability in TP-Link Archer C5 v4 routers (used in enterprise and home environments) could allow unauthorised, remote access to the device with administrative privileges enabling Remote attackers to potentially move laterally through the LAN or WAN.
The bug (CVE-2017-7405) affects models that run firmware version 3.16.0 0.9.1 v600c.0 Build 180124 Rel.28919n. First discovered by IBM X-Force Red’s Grzegorz Wypych, it could potentially permit a remote attacker to spread laterally though a network, by first taking control of the router’s configuration via Telnet on the LAN and then connecting to a file transfer protocol (FTP) server elsewhere on the LAN.
When placed on a business network, a compromised router can become a point of entry to an attacker, and a place to launch from. The risk is greater on business networks where routers such as this can be used to enable guest Wi-Fi. FTP (if configured to be used on WAN) and Telnet (LAN only) can become completely exposed to an attacker.
Exploitation is achieved by sending through specially formulated HTTP CGI requests to the router containing a password request that is either shorter or longer than the anticipated string. In the first case, the password value is distorted into non-ASCII bytes, which corrupts the password file and causes a denial-of-service issue; in the latter instance, it voids the device’s password requirement altogether and replaces the string with an empty value.
With the latter instance being achieved, i.e. longer string…the result is that the password was voided altogether, and the value is now empty. From this point on, the attacker could access Telnet and FTP without any password, using only ‘admin’ as the username, which is the only available user on the device by default.
It should be noted, this TP-Link device only features one user type — admin with root privileges — and all processes are run by the user under this access level.
After attaining administrative access, it is also possible to remotely manage the router over a secure HTTPS connection, which “is also vulnerable to this CGI attack.
Takeover and attaining privileged access to the network is one outcome of an exploit, but a legitimate user would also be locked out.
The user would no longer be able to log in to the web service through the user interface since that page would no longer accept any passwords. In such an event, the victim could lose access to the console and thereby would not be able to re-set a new password. Even if there was a way to set a new password, the next vulnerable LAN/WAN/CGI request would, once again, void the password.
When these flaws surface, they expose millions of businesses and homes to the risk of data compromise. And it’s not only textual information that can be lost — think about footage from webcams, baby monitors and other connected devices in the home that use that same router to connect to the internet.
Patches have been issued by TP-Link to address the bug in version TP-Link Archer C5 v4 and other versions (Archer MR200v4, Archer MR6400v4 and Archer MR400v3) that may be at risk.
With any internet-facing devices, it is important for businesses to be aware of patches and updates available for their systems. Attackers are always searching for vulnerable internet-facing devices and with any known vulnerability, it will be added to their exploit arsenal to use against SMEs.
Businesses need to implement the patch as soon as possible using their security program’s change management procedures. Failure to implement these patches, increases their risk of attack and possible data breach of their network and systems.