35.3 F
Washington D.C.
Wednesday, February 1, 2023
spot_img

Vulnerabilities in TP-Link routers, WR710N-V1-151022 and Archer C5 V2

A buffer overflow during HTTP Basic Authentication can allow a remote attacker to corrupt memory allocated on a heap causing denial of service.

TP-Link router WR710N-V1-151022 running firmware published 2015-10-22 and Archer-C5-V2-160201 running firmware published 2016-02-01 are susceptible to two vulnerabilities:

  1. A buffer overflow during HTTP Basic Authentication allowing a remote attacker to corrupt memory allocated on a heap causing denial of service or arbitrary code execution;
  2. A side-channel attack via a strcmp() function in the HTTP daemon allowing deterministic guessing of each byte of a username and password input during authentication.

Description

TP-Link device WR710N-V1-151022 is a 150Mbps Wireless N Mini Pocket router, and Archer-C5-V2-160201 is a Wireless Dual Band Gigabit router. These SOHO devices are sold by TP-Link and their latest firmware available as of January 11, 2023, have two vulnerabilities.

CVE-2022-4498 When receiving user input during HTTP Basic Authentication mode, a crafted packet may cause a heap overflow in the httpd daemon. This can lead to denial of service (DoS) if the httpd process crashes or arbitrary remote code execution (RCE).

CVE-2022-4499 A strcmp() function in httpd, is susceptible to a side-channel attack when used to verify usename and password credentials. By measuring the response time of the vulnerable process, each byte of the username and password strings may be easier to guess.

Read more at the CERT Coordination Center

Homeland Security Todayhttp://www.hstoday.us
The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Related Articles

- Advertisement -

Latest Articles