Two models of TP-Link routers are exposed to the exploitation of a zero day vulnerability that allows malicious users to take control of the devices, report penetration testing course specialists from the International Institute of Cyber Security (IICS).
“We have discovered a zero-day
vulnerability that compromises the operation of the device, exposing it to
remote attacks,” says Grzegroz Wypych, a cybersecurity specialist. The company
has reported that the compromised router
models have been discontinued; however, searching online you can still find
these devices available for purchase.
According to the penetration testing course
experts, after both router models were scanned, it was discovered that the vulnerabilities
are linked to the web control panel used to configure the router. “The
controls that are in the web interface really don’t protect the ‘real’ router,
which makes things a lot easier for hackers,” the experts added.
One of the possible attack vectors can be when
a user sends ping requests, and then a message is displayed on the device
console referring to the native code compiled to the firmware
binary. After making a series of (really complex) steps it is possible to
generate the appropriate conditions for a buffer overflow attack. “Without going into detail, this is a
classic buffer overflow vulnerability “, the researchers mentioned.
According to the specialists from the
penetration testing course, the TP-Link updates were launched from mid-March
and apply to the two vulnerable router models. TL-WR940N router users must
upgrade to TL-WR940Nv3; on the other hand, TL-WR940Nv3 routers users must
upgrade to TL-WR941NDv6.
Researchers argue that most manufacturers of
these devices sign outsourcing contracts with low-cost, insecure, and
non-quality-controlled firmware developers. As if that’s not enough this kind
of developers don’t launch software updates regularly, or they don’t throw them
at all, as mentioned by the cyber security researchers.
