Update These TP-Link Routers to Fix Critical Password Vulnerability
If you own one of the four TP-Link routers, including the TP-Link Archer C5 (v4), you need to find and install its latest firmware update right now. The patch addresses a critical vulnerability that would otherwise allow an attacker to take full control of your router – administrative access and everything else – and block you.
The vulnerability, originally discovered by Grzegorz Vypich from the awesome-sounding IBM X-Force Red hacker squad, appears to require someone to have network access to your router in order to get started. While this makes it a little less useful, as long as you have a great Wi-Fi password (and a good lock on your front door), that doesn’t mean there are no other vulnerabilities that a skilled attacker could use to break into your network or send commands. your router.
Even if this hack is more likely to affect business networks or anywhere else where a compromised router could be used as a vector for a larger attack, there is no reason to be lazy and update your device’s firmware at home. A few minutes spent on this simple task can save you the pain, as Vipich and co-author of the Security Intelligence article Limor Kessem describe:
After gaining administrator access without the need for real authentication, we found that this particular device also allows FTP to be configured on the WAN. In addition, we were able to remotely control the router over a secure HTTPS connection, which is also vulnerable to this CGI attack. The impact and consequences of this router vulnerability, if exploited by a malicious third party, can be detrimental.
Not only can attackers gain privileged access, but a legitimate user can be blocked and no longer be able to log into the web service through the user interface, as this page will no longer accept any passwords (without the user’s knowledge). In this case, the victim may lose access to the console and even to the shell and thus be unable to recover the new password. Even if there was a way to set a new password, the next vulnerable LAN / WAN / CGI request would invalidate the password again. Thus, the only access to the FTP files will be through the USB port connection.
The vulnerability that allows this to happen is bizarre but seemingly simple. The attack, known as password overflow, involves spoofing HTTP headers to make it appear that the login request comes from the IP address of the router or domain used by TP-Link routers during the initial setup process – tplinkwifi.net.
The router considers the login request to be legitimate, and sending a password string with a request that is shorter than the router expects prevents anyone from logging in with the correct password. (This is essentially a denial of service attack.) Sending a longer password string eliminates the previously legitimate password, giving the attacker full unsecured access to the router.
Update your router’s firmware now
To address this vulnerability, TP-Link has released firmware updates for the affected routers. I recommend checking the bottom or back of your router to confirm that you have (and its hardware revision number, such as “V4”) and download updates now if you have one of these four routers:
- TP-Link Archer C5 v4
- TP-Link Archer MR200v4
- TP-Link MR6400v4
- TP-Link Archer MR400v3
Once you’ve done that, open your router’s web configuration screen, login and look for the section related to firmware updates. To use the C5 as an example, you need to click on the Advanced tab at the top, scroll down to System Tools and click on Firmware Update. You can then find the downloaded (and unzipped) firmware update and install it on your device using the big Update button.
While it would be great if all routers could just ping the update server and automatically download and install firmware updates for you, they are not. It is usually your responsibility to update your router. And I understand that; Constantly checking a website for firmware updates is an annoying process.
In fact, this is probably the last thing you think of, even if you are quite into your computer and networking hardware (like me). To fix this, leave a reminder in your favorite scheduling tool to revisit your router manufacturer’s support page three months later to check for updates, and set another reminder at that point for whatever period of time you feel is right.