Published:2024/01/09  Last Updated:2024/06/27

JVNVU#91401812
Multiple TP-Link products vulnerable to OS command injection

Overview

Multiple products provided by TP-LINK contain OS command injection vulnerabilities.

Products Affected

CVE-2024-21773

  • Archer AX3000 firmware versions prior to "Archer AX3000(JP)_V1_1.1.2 Build 20231115"
  • Archer AX5400 firmware versions prior to "Archer AX5400(JP)_V1_1.1.2 Build 20231115"
  • Deco X50 firmware versions prior to "Deco X50(JP)_V1_1.4.1 Build 20231122"
  • Deco XE200 firmware versions prior to "Deco XE200(JP)_V1_1.2.5 Build 20231120"
  • Archer Air R5 firmware versions prior to "Archer Air R5(JP)_V1_1.1.6 Build 20240508"
CVE-2024-21821
  • Archer AX3000 firmware versions prior to "Archer AX3000(JP)_V1_1.1.2 Build 20231115"
  • Archer AX5400 firmware versions prior to "Archer AX5400(JP)_V1_1.1.2 Build 20231115"
  • Archer AXE75 firmware versions prior to "Archer AXE75(JP)_V1_231115"
  • Archer Air R5 firmware versions prior to "Archer Air R5(JP)_V1_1.1.6 Build 20240508"
CVE-2024-21833
  • Archer AX3000 firmware versions prior to "Archer AX3000(JP)_V1_1.1.2 Build 20231115"
  • Archer AX5400 firmware versions prior to "Archer AX5400(JP)_V1_1.1.2 Build 20231115"
  • Archer AXE75 firmware versions prior to "Archer AXE75(JP)_V1_231115"
  • Deco X50 firmware versions prior to "Deco X50(JP)_V1_1.4.1 Build 20231122"
  • Deco XE200 firmware versions prior to "Deco XE200(JP)_V1_1.2.5 Build 20231120"

Description

Multiple products provided by TP-LINK contain multiple vulnerabilities listed below.

  • OS command injection (CWE-78) - CVE-2024-21773
    CVSS v3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 7.5
  • OS command injection (CWE-78) - CVE-2024-21821
    CVSS v3 CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 7.1
  • OS command injection (CWE-78) - CVE-2024-21833
    CVSS v3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 7.5

Impact

  • A unauthenticated user who can access the affected device from the LAN port or Wi-Fi may execute an arbitrary OS command on the device that has pre-specified target devices and blocked URLs in parental control settings - CVE-2024-21773
  • A unauthenticated user who can access the affected device from the LAN port or Wi-Fi may execute an arbitrary OS command on the device - CVE-2024-21833
  • A user who logs in to the affected device may execute an arbitrary OS command (The affected device, with the initial configuration, allows login only from the LAN port or Wi-Fi) - CVE-2024-21821

Solution

Update the Firmware
Update the firmware to the latest version according to the information provided by the developer.

Vendor Status

Vendor Link
TP-Link Corporation Limited Download Center (Text in Japanese)
Contents for Archer AX3000 V1 (Text in Japanese)
Contents for Archer AX5400 V1 (Text in Japanese)
Contents for Archer AXE75 V1 (Text in Japanese)
Contents for Deco X50 V1 (Text in Japanese)
Contents for Deco XE200 V1 (Text in Japanese)
Contents for Archer Air R5 V1 (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-21773
CVE-2024-21821
CVE-2024-21833
JVN iPedia

Update History

2024/06/27
Information under the section [Products Affected], [Impact] and [Vendor Status] was updated