“Classic” bugs open TP-Link’s SafeStream Gigabit Broadband VPN Router to attack

Cisco Talos researchers have flagged four serious vulnerabilities in TP-Link’s SafeStream Gigabit Broadband VPN Router (TL-R600VPN). All four affect the device’s HTTP server, and can lead to denial of service, information disclosure, and remote code execution.

About the vulnerabilities

The flaws affect TP-Link TL-R600VPN, hardware versions 2 and 3.

Numbered CVE-2018-3948 and CVE-2018-3949, respectively, the flaws that can be exploited for DoS and information disclosure can be triggered via an unauthenticated web request and a specially crafted URL.

Both of the RCE flaws – CVE-2018-3950 and CVE-2018-3951 – can only be exploited within an authenticated session, meaning that the attacker must be logged in and malware has to be able to use the correct credentials to mount a successful attack.

Unfortunately for the world at large, many users never change the device’s login credentials, which are usually the same for all devices from the same product line. This fact is often misused by attackers looking for devices to rope into their botnets, and is a problem that some of the recently signed legislation is trying to solve.

“These are just the latest example that these pieces of equipment are not only vulnerable, they also lack the generic operating systems protections that mitigate vulnerabilities like buffer overflows,” the researchers pointed out. “Fortunately in the case of TL-R600VPN routers, the critical vulnerabilities that lead remote code execution need authentication. However, the code could be executed with root privileges.”spe

With all that in mind, and the fact that the researchers have detailed the flaws extensively and provided proof-of-concept exploit code, administrators of these devices would do well to download and implement the firmware updates provided by the manufacturer to plug these holes.