Published:2023/08/21  Last Updated:2023/08/21

JVNVU#99392903
Multiple vulnerabilities in TP-Link products

Overview

Multiple products provided by TP-LINK contain multiple vulnerabilities.

Products Affected

CVE-2023-31188、CVE-2023-32619

  • Archer C50 firmware versions prior to "Archer C50(JP)_V3_230505"
  • Archer C55 firmware versions prior to "Archer C55(JP)_V1_230506"
CVE-2023-36489
  • TL-WR802N firmware versions prior to "TL-WR802N(JP)_V4_221008"
  • TL-WR841N firmware versions prior to "TL-WR841N(JP)_V14_230506"
  • TL-WR902AC firmware versions prior to "TL-WR902AC(JP)_V3_230506"
CVE-2023-31188、CVE-2023-37284
  • Archer C20 firmware versions prior to "Archer C20(JP)_V1_230616"
CVE-2023-38563
  • Archer C1200 firmware versions prior to "Archer C1200(JP)_V2_230508"
  • Archer C9 firmware versions prior to "Archer C9(JP)_V3_230508"
CVE-2023-38568
  • Archer A10 firmware versions prior to "Archer A10(JP)_V2_230504"
CVE-2023-38588
  • Archer C3150 firmware versions prior to "Archer C3150(JP)_V2_230511"
CVE-2023-39224
  • Archer C5 firmware all versions
  • Archer C7 firmware versions prior to "Archer C7(JP)_V2_230602"
CVE-2023-39935
  • Archer C5400 firmware versions prior to "Archer C5400(JP)_V2_230506"
CVE-2022-24355
  • TL-WR940N firmware versions prior to "TL-WR940N(JP)_V6_201103"
CVE-2023-40193
  • Deco M4 firmware versions prior to "Deco M4(JP)_V2_1.5.8 Build 20230619"
CVE-2023-40357
  • Archer AX50 firmware versions prior to "Archer AX50(JP)_V1_230529"
  • Archer A10 firmware versions prior to "Archer A10(JP)_V2_230504"
  • Archer AX10 firmware versions prior to "Archer AX10(JP)_V1.2_230508"
  • Archer AX11000 firmware versions prior to "Archer AX11000(JP)_V1_230523"
CVE-2023-40531
  • Archer AX6000 firmware versions prior to "Archer AX6000(JP)_V1_1.3.0 Build 20221208"

Description

Multiple products provided by TP-LINK contain multiple vulnerabilities listed below.

  • OS command injection (CWE-78) - CVE-2023-31188
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.0
  • Use of hard-coded credentials (CWE-798) - CVE-2023-32619
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8
  • OS command injection (CWE-78) - CVE-2023-36489
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8
  • Improper authentication (CWE-287) - CVE-2023-37284
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8
  • OS command injection (CWE-78) - CVE-2023-38563
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8
  • OS command injection (CWE-78) - CVE-2023-38568
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8
  • OS command injection (CWE-78) - CVE-2023-38588
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.0
  • OS command injection (CWE-78) - CVE-2023-39224
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.0
  • OS command injection (CWE-78) - CVE-2023-39935
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.0
  • Stack-based buffer overflow (CWE-121) - CVE-2022-24355
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8
  • OS command injection (CWE-78) - CVE-2023-40193
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.0
  • OS command injection (CWE-78) - CVE-2023-40357
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.0
  • OS command injection (CWE-78) - CVE-2023-40531
    CVSS v3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.0

Impact

The following attacks may be performed from the adjacent network:

  • An arbitrary OS command may be executed by a logged-in user - CVE-2023-31188
  • Hard-coded credentials may be used to login to the affected device, and an arbitrary OS command may be executed - CVE-2023-32619
  • An arbitrary OS command may be executed via a crafted request to bypass authentication - CVE-2023-37284
  • An arbitrary OS command may be executed - CVE-2023-36489, CVE-2023-38563, CVE-2023-38568
  • A logged-in user may execute an arbitrary OS command - CVE-2023-38588, CVE-2023-39224, CVE-2023-39935, CVE-2023-40193, CVE-2023-40357, CVE-2023-40531
  • An arbitrary code may be executed via a crafted request - CVE-2022-24355

Solution

Update the Firmware
For products other than Archer C5, update the firmware to the latest version according to the information provided by the developer.

According to the developer, support for the Archer C5 has already ended, so there are no plans to provide an update.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.