Hackers Exploiting TP-Link Vulnerability to Gain Root Access
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Researchers have uncovered a critical vulnerability in TP-Link TL-WR845N routers that could allow attackers to gain complete control over affected devices.
The flaw, identified as CVE-2024-57040 and assigned a CVSS score of 9.8 (Critical), exposes hardcoded root shell credentials stored within the router’s firmware files, creating a significant security risk for users worldwide.
According to IoT Security Research Lab, the vulnerability stems from MD5-hashed root passwords stored in plaintext within publicly accessible firmware files.
The credentials are stored in two specific locations: “squashfs-root/etc/passwd” and “squashfs-root/etc/passwd.bak”.The exposed hardcoded root password can be easily cracked to reveal “1234” while the root username appears in plaintext as “admin.”
Security experts note that all known firmware versions of the TP-Link TL-WR845N router are affected, including:
This vulnerability presents a severe security risk as attackers with these credentials can essentially take full control of the router, potentially intercepting network traffic and installing persistent backdoors.
Risk Factors Details Affected ProductsTL-WR845N(UN)_V4_190219TL-WR845N(UN)_V4_200909TL-WR845N(UN)_V4_201214ImpactUnauthorized root-level access to the routerExploit PrerequisitesKnowledge of the router’s hardcoded root password, brute force attack to obtain the passwordCVSS 3.1 ScoreBase Score: 9.8 (Critical)
Exploitation Methods
According to a team of security researchers from the IoT Security Research Lab at the Indian Institute of Information Technology in Allahabad, attackers can obtain the router’s firmware through two primary methods.
The first involves physical access to extract the SPI Flash memory directly from the device.
The second, more concerning method allows attackers to simply download the firmware from TP-Link’s official website, as all firmware versions contain the same vulnerability.
Once obtained, the firmware can be analyzed using tools like Binwalk or specialized firmware auditing software to extract the file system. Commands as simple as cat passwd or cat passwd.bak reveals the credentials needed to gain root access.
For verification, attackers can access the root shell via UART port communication by using the command login and entering the discovered credentials, granting them complete administrative control over the device.
This vulnerability poses multiple serious threats to affected users:
Attackers can modify firmware, install persistent backdoors, and intercept all network traffic passing through the router. Once inside the router, attackers can establish a foothold to target other devices on the same network.
If combined with other vulnerabilities like authentication bypass flaws (similar to those found in related models such as TL-WR840N and TL-WR841N), attackers could potentially execute these attacks remotely.
Mitigations
As TP-Link has not yet released a security patch addressing CVE-2024-57040, users of affected routers should take immediate precautions:
This latest discovery follows a troubling pattern of security issues in consumer routers. Earlier vulnerabilities like the authentication bypass in TL-WR840N/TL-WR841N models (which allowed attackers to bypass authentication by manipulating the Referer Header) highlight the ongoing security challenges facing home networking equipment.
Users are advised to stay vigilant and regularly check for firmware updates from TP-Link that may address this critical security flaw.
#Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Hackers Exploiting TP-Link Vulnerability to Gain Root Access
Author: Guru BaranResearchers have uncovered a critical vulnerability in TP-Link TL-WR845N routers that could allow attackers to gain complete control over affected devices.
The flaw, identified as CVE-2024-57040 and assigned a CVSS score of 9.8 (Critical), exposes hardcoded root shell credentials stored within the router’s firmware files, creating a significant security risk for users worldwide.
According to IoT Security Research Lab, the vulnerability stems from MD5-hashed root passwords stored in plaintext within publicly accessible firmware files.
The credentials are stored in two specific locations: “squashfs-root/etc/passwd” and “squashfs-root/etc/passwd.bak”.The exposed hardcoded root password can be easily cracked to reveal “1234” while the root username appears in plaintext as “admin.”
Security experts note that all known firmware versions of the TP-Link TL-WR845N router are affected, including:
- TL-WR845N(UN)_V4_190219
- TL-WR845N(UN)_V4_200909
- TL-WR845N(UN)_V4_201214
This vulnerability presents a severe security risk as attackers with these credentials can essentially take full control of the router, potentially intercepting network traffic and installing persistent backdoors.
Risk Factors Details Affected ProductsTL-WR845N(UN)_V4_190219TL-WR845N(UN)_V4_200909TL-WR845N(UN)_V4_201214ImpactUnauthorized root-level access to the routerExploit PrerequisitesKnowledge of the router’s hardcoded root password, brute force attack to obtain the passwordCVSS 3.1 ScoreBase Score: 9.8 (Critical)
Exploitation Methods
According to a team of security researchers from the IoT Security Research Lab at the Indian Institute of Information Technology in Allahabad, attackers can obtain the router’s firmware through two primary methods.
The first involves physical access to extract the SPI Flash memory directly from the device.
The second, more concerning method allows attackers to simply download the firmware from TP-Link’s official website, as all firmware versions contain the same vulnerability.
Once obtained, the firmware can be analyzed using tools like Binwalk or specialized firmware auditing software to extract the file system. Commands as simple as cat passwd or cat passwd.bak reveals the credentials needed to gain root access.
For verification, attackers can access the root shell via UART port communication by using the command login and entering the discovered credentials, granting them complete administrative control over the device.
This vulnerability poses multiple serious threats to affected users:
Attackers can modify firmware, install persistent backdoors, and intercept all network traffic passing through the router. Once inside the router, attackers can establish a foothold to target other devices on the same network.
If combined with other vulnerabilities like authentication bypass flaws (similar to those found in related models such as TL-WR840N and TL-WR841N), attackers could potentially execute these attacks remotely.
Mitigations
As TP-Link has not yet released a security patch addressing CVE-2024-57040, users of affected routers should take immediate precautions:
- Modify the admin password to a strong, unique alternative.
- Secure the router’s location to prevent physical tampering and SPI flash extractions.
- Block any unnecessary remote access interfaces like SSH/Telnet.
- Regularly check for unauthorized access attempts or suspicious behavior.
- While the current firmware versions remain vulnerable, TP-Link may release security patches in future updates that can be installed through the router’s management interface at http://tplinkwifi.net
This latest discovery follows a troubling pattern of security issues in consumer routers. Earlier vulnerabilities like the authentication bypass in TL-WR840N/TL-WR841N models (which allowed attackers to bypass authentication by manipulating the Referer Header) highlight the ongoing security challenges facing home networking equipment.
Users are advised to stay vigilant and regularly check for firmware updates from TP-Link that may address this critical security flaw.
#Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security_news #vulnerability
Оригинальная версия на сайте:
