TP-Link’s Archer Router series which is capable of handling high-speed online traffic had a vulnerability that if exploited, could allow hackers to bypass the admin passwords and remotely take control of the devices.
This vulnerability (now tracked as CVE-2019-7405) was first discovered in TP-Link Archer C5 (v4) routers. Grzegorz Wypych, a Senior Security Consultant at IBM X-Force Red said, ” This is a zero-day flaw that was not previously reported and can affect both home and business environments. If exploited, this router vulnerability can allow a remote attacker to take control of the router’s configuration via Telnet on the local area network (LAN) and connect to a File Transfer Protocol (FTP) server through the LAN or wide area network (WAN).”
The vulnerability could be exploited by simply sending a character string longer than the allowed number of bytes through an HTTP request. This is also known as Password Overflow. The built-in validation checks the referrer’s HTTP headers; this tricked the TP-Link routers into believing that it is a valid HTTP request, making the password void and replacing it with an empty value.
Few of TP-Link Archer routers had only admin access with root privileges. Since it is the only access level, all processes are run by the user under this access level, thus allowing an attacker to operate as admin and hijack the device completely. It was also observed that the RSA encryption keys failed since they don’t work with empty passwords.
“The risk is greater on business networks where routers such as this can be used to enable guest Wi-Fi. If placed on the enterprise network, a compromised router can become a point of entry to an attacker, and a place to pivot from in recon and lateral movement tactics,” explained Grzegorz.
In such a hostile complete device takeover, attackers not only attain privileged access but also lock-out the legit user from using the web services. Thus, TP-Link was very quick to fix this critical vulnerability and release patches for the Archer C5 V4, Archer MR200v4, Archer MR6400v4, and Archer MR400v3 routers to help its customers protect themselves against such cyberattacks.