Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Vulnerabilities in TP-Link routers, WR710N-V1-151022 and Archer C5 V2
Informations
Name VU#572615 First vendor Publication 2023-01-17
Vendor VU-CERT Last vendor Modification 2023-01-23
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 9.8
Base Score 9.8 Environmental Score 9.8
impact SubScore 5.9 Temporal Score 9.8
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Overview

TP-Link router WR710N-V1-151022 running firmware published 2015-10-22 and Archer-C5-V2-160201 running firmware published 2016-02-01 are susceptible to two vulnerabilities:

  1. A buffer overflow during HTTP Basic Authentication allowing a remote attacker to corrupt memory allocated on a heap causing denial of service or arbitrary code execution;
  2. A side-channel attack via a strcmp() function in the HTTP daemon allowing deterministic guessing of each byte of a username and password input during authentication.

Description

TP-Link device WR710N-V1-151022 is a 150Mbps Wireless N Mini Pocket router, and Archer-C5-V2-160201 is a Wireless Dual Band Gigabit router. These SOHO devices are sold by TP-Link and their latest firmware available as of January 11, 2023, have two vulnerabilities.

CVE-2022-4498 When receiving user input during HTTP Basic Authentication mode, a crafted packet may cause a heap overflow in the httpd daemon. This can lead to denial of service (DoS) if the httpd process crashes or arbitrary remote code execution (RCE).

CVE-2022-4499 A strcmp() function in httpd, is susceptible to a side-channel attack when used to verify usename and password credentials. By measuring the response time of the vulnerable process, each byte of the username and password strings may be easier to guess.

Impact

The two different vulnerabilities have unrelated impacts. The first vulnerability is a heap-based buffer overflow that can cause a crash or allow for arbitrary remote code execution. The second vulnerability is an information disclosure issue where the function used by the httpd process may allow an attacker to guess each byte of a username and password deterministically.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Acknowledgements

Thanks to the reporter, Jonathan Bar of Microsoft, for responsibly disclosing these issues.

This document was written by Timur Snoke.

Original Source

Url : https://kb.cert.org/vuls/id/572615

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)
50 % CWE-203 Information Exposure Through Discrepancy

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 1
Os 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2023-01-23 17:22:02
  • Multiple Updates
2023-01-20 17:22:06
  • Multiple Updates
2023-01-19 21:35:33
  • Multiple Updates
2023-01-17 21:21:45
  • First insertion