Synopsis
Tenable was recently investigating TP-Link's TL-WR841N v13 using firmware 0.9.1 4.16 v0348.0 (listed as TL-WR841N(US)_V13_180119 on the download page). As a result, Tenable found multiple vulnerabilities.
CVE-2018-15700: httpd Denial of Service via Referer Header
A locally connected user sending an HTTP request with a missing protocol string in the "Referer" field will result in the httpd service terminating. We believe this is a NULL pointer dereference error in the http_parser_main function. The problem starts with a memcmp looking for "http://" in the first seven bytes of the "Referer" field. Only if this succeeds will a "Referer" string variable be initialized. When the memcmp fails the program flow still continues and attempts string operations on the uninitialized NULL string. The resulting crash requires a router reboot to revive httpd web interface.
curl 'http://tplinkwifi.net/' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'Referer: DOS' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.9' --compressed
CVE-2018-15701: httpd Denial of Service via Cookie Header
Crafting an HTTP request with an HTTP "Cookie" field of "Authorization;" will result in the httpd service terminating. Again, a router reboot is required to revive the web interface. We believe this is another parsing error in "http_parser_main".
curl 'http://tplinkwifi.net/' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'Referer: http://tplinkwifi.net/' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.9' -H 'Cookie: Authorization;' --compressed
CVE-2018-15702: XSRF due to Incomplete Referer Check
In the http_parser_main function, referer whitelisting is accomplished using strncmp with a length field derived from "tplinklogin.net", "tplinkwifi.net", or router IP strings. Since strncmp is only comparing the first few characters of the referer domain string, an attacker can pass this check by crafting a domain or subdomain of "tplinklogin.net**", "tplinkwifi.net*", or "<router's IP>*".
This issue is magnified in severity due to a previously disclosed but unpatched authentication bypass vulnerability (CVE-2018-11714). This allows a remote attacker to perform XSRF to various sensitive cgi scripts. A remote attacker is able enable remote management and reset the router admin password.
Solution
Currently no solution exists. At time of publication, the most recent firmware version on TP-Link's website is listed as TL-WR841N(US)_V13_180119 which is the vulnerable firmware version (0.9.1 4.16 v0348.0).Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team