Multiple flaws in TP-Link EAP controller could give hackers free-rein
Privilege escalation and cross-site scripting vulnerabilities discovered allowing WiFi network takeover and with mitigations for all vulnerabilities difficult, patching is required.
Security researchers have found several flaws in software from TP-Link that could enable attackers to take over a Wi-Fi network.
According to a blog post by Core Security, the flaws exist in TP-Link's EAP Controller. This is software that enables organisations to manage wireless access points for a central console.
Vulnerabilities were found in the EAP Controller management software, allowing privilege escalation due to improper privilege management in the web application. Due to the use of a hard-coded cryptographic key the backup file of the web application can be decrypted, modified and restored back.
Also, the web application does not have Cross-Site Request Forgery protection and finally, two stored Cross Site Scripting vulnerabilities were found.
Researchers said that the software does not control privileges on the usage of the Web API, allowing a low privilege user to make any request as an Administrator. They demonstrated a proof of concept that showed the creation of a new Administrator, by just having the session cookie of an observer (lowest privilege user).
They also found that the web API does not restrict low privilege users, so an observer can make a request to download the web app backup file. “The backup file is encrypted with a hard-coded cryptographic key so anyone who knows that key and the algorithm can decrypt it,” said researchers.
They also discovered that there are no Anti-CSRF tokens in any forms on the web interface. “This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain,” said researchers.
According to Core Security, they sent an initial notification to TP-Link in January. Later that month, TP-Link said that they had checked the draft advisory and would fix the vulnerabilities. In February, TP-Link sent a beta version of the software, but Core Security found that all the vulnerabilities were fixed. However, a new version of the EAP Controller Software was released (v2.6.0), but this version didn´t address the reported vulnerabilities.
TP-Link informed that they were planning to release the fixed version in April. This version (v2.6.1) was released then and Core Security tested the new release and confirmed that the reported vulnerabilities were addressed.
Liviu Arsene, senior e-threat analyst at Bitdefender, told SC Media UK that the fact that attackers can remotely force the creation of administrator users and even enable SSH on the device, makes it difficult for organisations to spot any anomalous behaviour in terms of device tampering.
“The simplest and most elegant way to mitigate these attacks is to install the latest security patches that address the reported vulnerabilities. For instance, the fact that one of the vulnerabilities involves the use of a hard-coded cryptographic key makes it difficult for organisations to manually mitigate it,” he said.
“Other than installing the latest patches, it's difficult for organisations to set up mitigations for all described vulnerabilities. Some might not even be possible to mitigate, such as the use of a hard-coded cryptographic key.”