Published:2024/01/09  Last Updated:2024/06/27

JVNVU#91401812
Multiple TP-Link products vulnerable to OS command injection

Overview

Multiple products provided by TP-LINK contain OS command injection vulnerabilities.

Products Affected

CVE-2024-21773

  • Archer AX3000 firmware versions prior to "Archer AX3000(JP)_V1_1.1.2 Build 20231115"
  • Archer AX5400 firmware versions prior to "Archer AX5400(JP)_V1_1.1.2 Build 20231115"
  • Deco X50 firmware versions prior to "Deco X50(JP)_V1_1.4.1 Build 20231122"
  • Deco XE200 firmware versions prior to "Deco XE200(JP)_V1_1.2.5 Build 20231120"
  • Archer Air R5 firmware versions prior to "Archer Air R5(JP)_V1_1.1.6 Build 20240508"
CVE-2024-21821
  • Archer AX3000 firmware versions prior to "Archer AX3000(JP)_V1_1.1.2 Build 20231115"
  • Archer AX5400 firmware versions prior to "Archer AX5400(JP)_V1_1.1.2 Build 20231115"
  • Archer AXE75 firmware versions prior to "Archer AXE75(JP)_V1_231115"
  • Archer Air R5 firmware versions prior to "Archer Air R5(JP)_V1_1.1.6 Build 20240508"
CVE-2024-21833
  • Archer AX3000 firmware versions prior to "Archer AX3000(JP)_V1_1.1.2 Build 20231115"
  • Archer AX5400 firmware versions prior to "Archer AX5400(JP)_V1_1.1.2 Build 20231115"
  • Archer AXE75 firmware versions prior to "Archer AXE75(JP)_V1_231115"
  • Deco X50 firmware versions prior to "Deco X50(JP)_V1_1.4.1 Build 20231122"
  • Deco XE200 firmware versions prior to "Deco XE200(JP)_V1_1.2.5 Build 20231120"

Description

Multiple products provided by TP-LINK contain multiple vulnerabilities listed below.

  • OS command injection (CWE-78) - CVE-2024-21773
    CVSS v3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 7.5
  • OS command injection (CWE-78) - CVE-2024-21821
    CVSS v3 CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 7.1
  • OS command injection (CWE-78) - CVE-2024-21833
    CVSS v3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 7.5

Impact

  • A unauthenticated user who can access the affected device from the LAN port or Wi-Fi may execute an arbitrary OS command on the device that has pre-specified target devices and blocked URLs in parental control settings - CVE-2024-21773
  • A unauthenticated user who can access the affected device from the LAN port or Wi-Fi may execute an arbitrary OS command on the device - CVE-2024-21833
  • A user who logs in to the affected device may execute an arbitrary OS command (The affected device, with the initial configuration, allows login only from the LAN port or Wi-Fi) - CVE-2024-21821

Solution

Update the Firmware
Update the firmware to the latest version according to the information provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-21773
CVE-2024-21821
CVE-2024-21833
JVN iPedia

Update History

2024/06/27
Information under the section [Products Affected], [Impact] and [Vendor Status] was updated