Two models of TP-Link routers are exposed to the exploitation of a zero day vulnerability that allows malicious users to take control of the devices, report penetration testing course specialists from the International Institute of Cyber Security (IICS).
“We have discovered a zero-day vulnerability that compromises the operation of the device, exposing it to remote attacks,” says Grzegroz Wypych, a cybersecurity specialist. The company has reported that the compromised router models have been discontinued; however, searching online you can still find these devices available for purchase.
According to the penetration testing course experts, after both router models were scanned, it was discovered that the vulnerabilities are linked to the web control panel used to configure the router. “The controls that are in the web interface really don’t protect the ‘real’ router, which makes things a lot easier for hackers,” the experts added.
One of the possible attack vectors can be when a user sends ping requests, and then a message is displayed on the device console referring to the native code compiled to the firmware binary. After making a series of (really complex) steps it is possible to generate the appropriate conditions for a buffer overflow attack. “Without going into detail, this is a classic buffer overflow vulnerability “, the researchers mentioned.
According to the specialists from the penetration testing course, the TP-Link updates were launched from mid-March and apply to the two vulnerable router models. TL-WR940N router users must upgrade to TL-WR940Nv3; on the other hand, TL-WR940Nv3 routers users must upgrade to TL-WR941NDv6.
Researchers argue that most manufacturers of these devices sign outsourcing contracts with low-cost, insecure, and non-quality-controlled firmware developers. As if that’s not enough this kind of developers don’t launch software updates regularly, or they don’t throw them at all, as mentioned by the cyber security researchers.