A maximum-severity safety flaw has been disclosed within the TP-Hyperlink Archer C5400X gaming router that might result in distant code execution on vulnerable gadgets by sending specifically crafted requests.
The vulnerability, tracked as CVE-2024-5035, carries a CVSS rating of 10.0. It impacts all variations of the router firmware together with and previous to 1_1.1.6. It has been patched in model 1_1.1.7 launched on Could 24, 2024.
“By successfully exploiting this flaw, remote unauthenticated attackers can gain arbitrary command execution on the device with elevated privileges,” German cybersecurity agency ONEKEY stated in a report revealed Monday.
The problem is rooted in a binary associated to radio frequency testing “rftest” that is launched on startup and exposes a community listener on TCP ports 8888, 8889, and 8890, thus permitting a distant unauthenticated attacker to realize code execution.
Whereas the community service is designed to solely settle for instructions that begin with “wl” or “nvram get,” ONEKEY stated the restriction discovered that the restriction might be trivially bypassed by injecting a command after shell meta-characters like ; , & , or, | (e.g., “wl;id;”).
TP-Hyperlink’s carried out repair in model 1_1.1.7 Construct 20240510 addresses the vulnerability by discarding any command containing these particular characters.
“It seems the need to provide a wireless device configuration API at TP-Link had to be answered either fast or cheap, which ended up with them exposing a supposedly limited shell over the network that clients within the router could use as a way to configure wireless devices,” ONEKEY stated.
The disclosure arrives weeks after safety flaws have been additionally revealed by the corporate in Delta Electronics DVW W02W2 industrial Ethernet routers (CVE-2024-3871) and Ligowave networking gear (CVE-2024-4999) that might permit distant attackers to achieve distant command execution with elevated privileges.
It is value noting that these flaws stay unpatched because of them being not actively maintained, making it crucial that customers take enough steps to restrict publicity of administration interfaces to scale back the potential for exploitation.
