Posted on June 20, 2019 at 3:46 AM
The critical zero-day vulnerability has been found in Wi-Fi Extenders that are made the company TP-Link. This vulnerability could allow malicious threat actors to execute code remotely on a victim’s device.
The models impacted include the RE365, RE650, RE350, and the RE500 devices that are running on the 1.0.2 firmware (build 20180213). The issue was found by security researchers from IBM’s X-Force lab and was revealed in a blog post on Tuesday.
Commercial and home users at risk
The devices in question are such that both private and commercial properties use them extensively. They are used to get rid of black holes in the wi-fi range in homes and businesses around the world. Repeaters work on the basis of catching a signal from a router and then amplifying that signal to give better coverage of an existing network.
The problem with this device, as with any other that is connected to the internet, is that it can be hijacked by malicious threat actors to gain remote access to a system and compromise it. The particular use case for this vulnerability allows threat actors to perform remote code execution.
The Wi-Fi Extenders that are made by TP-Link use the MIPS architecture, which means that the vulnerability can be triggered in the following way. The attacker abuses a malformed user agent field in HTTP headers when sending requests, which in turn exploits the device and allows the attacker to run shell commands.
The IBM researcher Grzegorz Wypychmembers says that the bug is able to be used to remotely access the extender without needing authentication. This allows attackers to hijack the device and gain total control over the device.
Research team proof of concept used a RE365 Wi-Fi Extender
The team at X-Force was able to connect to a RE365 device, using TCP port number 4444 to gain root access to the shell. This was all achieved without needing to do an additional privilege escalation attack during the infection process. This is due to the fact that all the process running on the device ran with root level access as standard.
He went on to say that “running root as default is quite risky because anyone who may compromise the device could perform any action on it.” He further went on to state that his first thought was of a Mirai-type attack on IoT devices where remote scripts could run as root if the vulnerability is exploited in this manner.
TP-Link has updated the software and patches are available for each an everyone of the compromised devices and can be found on the TP-Link website. The company has not given out any statement with regards to the vulnerability that was found.
People in the security industry have been taken aback by the quietness that TP-Link has shown in this regard and many are rightfully angry with the company for allowing such a vulnerability to come about.
It is similar, according to many sources, to the Dell remote access bug that affected all computers made by the company. They had installed their proprietary software for troubleshooting and it ran as administrator by default. This allowed threat actors to abuse the software in a sophisticated attack that exposed every single Dell laptop to remote viewing and tampering.
Dell is a large corporate supplier of laptops and many companies were angry with the lax approach to security that Dell showed. TP-Link finds itself in a similar situation as there are many of the extenders in corporate headquarters around America.
Whenever TP-Link releases its statement, it will definitely be expected to say what they decide to do from here on out with regards to running all processes as root by default. Should the company not show a plan to change its ways, it may lose a lot of corporate business in the long run.