TP-Link router model TL-WRN841N has two vulnerabilities, which if exploited could allow it to be taken over and reconfigured by an attacker.
The flaws were discovered by Tenable and another independent researcher, and while they have been reported to TP-Link a patch has not yet been issued. The TL-WRN841N is a popular home router that is sold by most electronics retailers.
The two vulnerabilities do have to be used in concert, but if this is done an attacker would have "full control over the router by uploading a malicious configuration file that would overwrite the admin credentials and even enable access to the router’s remote administration interface," Tenable wrote.
The first issue found, CVE-2018-11714, is an improper authentication issue that would allow an attacker to trigger a set of CGI routines in the router’s admin webpage by spoofing the HTTP referrer request from "tplinkwifi.net," "tplinklogin.net" or the router’s IP address.
The second vulnerability, CVE-2018-15702, was discovered as a direct result of finding the first. It is a cross-site request forgery flaw in the HTTP referrer whitelist check function in the router’s httpd service. The router uses a string comparison function to see if the URL in an address is whitelisted.
"However, this check is performed in such a way that it only looks at a certain length of characters within the string. Therefore, an attacker could craft a malicious iframe pointing to a URL with the subdomain "tplinkwifi.net" or "tplinklogin.net" (e.g. hxxp://tplinkwifi.net.drive-by-attack[.]com) and the router would consider it part of its whitelisted domains," Tenable said.
Although a patch has not been issued, TP-Link is working with Tenable and recommends anyone victimized by these vulnerabilities should contact the company for more information.
* This story first appeared in SC Magazine North America.