The zero-day vulnerability impacting TP-Link SR20 smart home router was discovered by Google security engineers. The bug was revealed after the company allegedly failed to fix the issue within 90 days. 90 days is a timeframe that is considered as a reasonable period of time offered to providers to fix reported security issues.
The security vulnerability is a zero-day arbitrary code execution (ACE) error in the TP-Link SR20 router. This smart router is a dual-band 2.4 GHz/5 GHz product designed to control smart home and Internet of Things (IoT) devices. The SR20 also supports devices that use the ZigBee and Z-Wave protocols.
According to Garrett, the problem is that the process of running a TP-Link router frequently is called “tddp”, namely the TP-Link device debugging protocol. This process runs at the root level and can initiate two forms of commands without authentication.
The security engineer says, “You send it a filename, a semicolon and then an argument. The router then connects back to the requesting machine over TFTP, requests the filename via TFTP, imports it into a LUA interpreter and passes the argument to the config_test() function in the file it just imported. The interpreter is running as root.”
The vulnerability could allow a hacker to remotely control a router and upload its own modified firmware, infecting all of user’s devices. No matter it is a smartphone or a smart camera, none of them can avoid the infection.
Garrett added, “Anyway, stop shipping debug daemons on production firmware and if you’re going to have a webform to submit security issues then have someone actually respond to it.”
In fact, the TP-Link vulnerability is not the only router-related security issue that emerged this week. Cisco’s previous fix in January failed to properly patch remote attacks against Cisco RV320 and RV325 WAN VPN routers. It is recommended that users pay more attention to the official website of the router brand and update the latest firmware in time. Hope the provider fix the vulnerability soon.
Published by Emerson L. Sullivan & last updated on April 4, 2019 9:02 am