News

Some TP-Link Routers Found Vulnerable To Exploits

Several TP-Link routers have been found to be vulnerable to webpage based DNS hijacking attacks. Worryingly the researcher who uncovered information about this vulnerability, Jacob Lell, has also found “an active exploitation campaign,” aimed at the affected TP-Link routers. Meanwhile TP-Link has released updated firmware for some but not all of its affected networking hardware.

There have been many router exploits before, however this newly reported TP-Link exploit looks more immediately serious as Mr Lell has found “five different instances of the exploit on unrelated websites so far”. An automated client honeypot system set up by Lell generated “some 280 GB of web traffic”. The five unrelated instances of the exploit he found tried to change the primary nameserver to three different IP addresses.

The affected TP-Link routers have something called a CSRF vulnerability. These routers allow access to their web-based administration page using HTTP authentication. “When entering the credentials to access the web interface, the browser typically asks the user whether he wants to permanently store the password in the browser. However, even if the user doesn’t want to permanently store the password in the browser, it will still temporarily remember the password and use it for the current session,” explains Lell.

If a user then visits a compromised site, like one of the five discovered so far, the site attempts to “change the upstream DNS server of the router to an attacker-controlled IP address, which can then be used to carry out man-in-the-middle attacks,” says Lell. After that DNS change web addresses typed in by the user can be easily redirected to phishing sites and similar places you wouldn’t ordinarilty want to visit. Also, among many other consequences, software updates can be blocked and email accounts hijacked.

The following devices are confirmed to be vulnerable:

  • TP-Link WR1043ND V1 up to firmware version 3.3.12 build 120405 is vulnerable (version 3.3.13 build 130325 and later is not vulnerable)
  • TP-Link TL-MR3020: firmware version 3.14.2 Build 120817 Rel.55520n and version 3.15.2 Build 130326 Rel.58517n are vulnerable (but not affected by current exploit in default configuration)
  • TL-WDR3600: firmware version 3.13.26 Build 130129 Rel.59449n and version 3.13.31 Build 130320 Rel.55761n are vulnerable (but not affected by current exploit in default configuration)
  • WR710N v1: 3.14.9 Build 130419 Rel.58371n is not vulnerable
  • Some other untested devices are also likely to be vulnerable

Thank you Hexus for providing us with this information
Image courtesy of Hexus

Gabriel Roşu

Disqus Comments Loading...
Share
Published by
Gabriel Roşu
Tags: dnsFirmwarehackIProuterTP-LinkVulnerabilitywireless
10 years ago

Recent Posts

Apacer AS2280F4 PCIe Gen5 1TB M.2 SSD Review

Apacer is a leading name for high-performance storage and memory, and now with the release…

11 mins ago

Corsair Launches New RS MAX Series Fans

Corsair already has the enthusiast market taken care of, with one of the most comprehensive…

4 hours ago

NVIDIA RTX Remix Gets DLSS 3.5 With Ray Reconstruction

The wealth of incredible RTX Remix mods has been pretty amazing, as we've seen so…

4 hours ago

SteelSeries Unveils The White Arctis Nova Pro Series Headphones

SteelSeries has always had some of the absolute best gaming headsets on the market, spanning…

4 hours ago

NVIDIA DLSS 3 Comes to EVERSPACE 2 and Gray Zone Warfare

There are now over 500 games and applications that feature RTX technologies, and that number…

5 hours ago

ThermalTake Ceres 300 TG ARGB Snow Mid Tower PC Case

Ceres 300 TG ARGB Snow Mid Tower Chassis is an ATX case that comes with…

21 hours ago