CYFIRMA’s Research team has conducted a thorough analysis of a critical security vulnerability, identified as CVE-2024-21833, affecting TP-Link Routers (Archer & Deco). Discovered on January 10, 2024, by JPCERT/CC, this vulnerability carries a significant CVSS score of 8.8, indicating it’s severity. The flaw exposes TP-Link Routers (Archer & Deco) to OS command injection, demanding urgent attention due to the potential risks associated with it. The research underscores the critical importance of prompt mitigation measures, emphasizing the need for immediate patching and proactive security measures across TP-Link Router installations. The vulnerability’s nature, potential impact, and the urgency of addressing it are thoroughly explored to provide valuable insights for users and organizations relying on TP-Link networking devices. In the past, the Chinese state-sponsored APT groups (Camaro Dragon, aka Mustang Panda) have been known to utilize a similar firmware implant customized for TP-Link routers to conduct malicious cyber-attacks.
TP-Link, a well-established brand of networking products, offers a comprehensive range of solutions catering to both home and business users. Known for its routers, switches, Wi-Fi range extenders, powerline adapters, access points, network adapters, and smart home devices, TP-Link has earned a reputation for providing reliable and affordable networking solutions. However, recent security concerns have surfaced regarding specific models, including the Archer AX3000, Archer AX5400, Archer AXE75, Deco X50, and Deco XE200. Identified vulnerabilities related to OS command injection in firmware versions before specific releases have prompted the need for immediate action: users of these TP-Link products are strongly advised to update their firmware to recommended versions, such as “Archer AX3000(JP)_V1_1.1.2 Build 20231115” or newer, to address these security issues. Regular firmware updates are essential for safeguarding against potential threats and ensuring the safety and integrity of network environments, while also offering enhanced features and performance.
Key Takeaways:
Acknowledgements:
CYFIRMA Research teams acknowledge security researchers who responsibly disclose the vulnerability.
Vulnerability Type: OS command injection vulnerabilities
CVE ID: CVE-2024-21833
CVSS Severity Score: 8.8 (HIGH)
Application: TP-Link Router
Impact: command injection vulnerabilities.
Severity: High
Affected Versions: The earliest affected version is Archer AX3000(JP)_V1_1.1.2 Build 20231115 0.2.0 and Deco XE200(JP)_V1_1.2.5 Build 20231120 more – 0.3.0, check here.
Patch Available: Yes
TP-LINK products, including the Archer and Deco series, are susceptible to exploitation by network-adjacent unauthenticated attackers, who have access to the product, allowing them to execute arbitrary OS commands. This vulnerability stems from insufficient sanitization of the country parameter in a write operation, enabling an unauthenticated attacker to exploit the flaw through a basic POST request.
The escalated risk associated with the potential exposure of breached networks underscores the urgent necessity to promptly address security concerns. This urgency is particularly heightened in containerized environments, where the repercussions of such breaches can be more severe. It is imperative to safeguard against the heightened risk of botnet attacks and unauthorized access to networks.
The earliest affected version is Tp-Link Router Archer AX3000(JP)_V1_1.1.2 Build 20231115,” “Archer AX5400(JP)_V1_1.1.2 Build 20231115,” “Archer AXE75(JP)_V1_231115,” “Deco X50(JP)_V1_1.4.1 Build 20231122,” and “Deco XE200(JP)_V1_1.2.5 Build 20231120, check here.
Router devices, integral to the modern infrastructure of business operations, serve as the backbone for secure access to an organization’s sensitive information. This includes personal data, financial details, and proprietary intellectual assets. Nevertheless, the expanding use of these services also increases the potential for exploitation by malicious actors.
Prominent instances have emerged wherein threat actors have specifically targeted and exploited vulnerabilities within file-transfer services and software, noteworthy cases including Cisco IOS XE (CVE-2023-20198; CVSS 10), FatPipe WARP IPVPN (CVE-2021-27860; CVSS 8), and D-LINK DIR-806 1200M11AC wireless router (VE-2023-43128; CVSS 9.8). A recent addition to this concerning trend is a vulnerability identified in TP-link Routers (CVE-2024-21833; CVSS 8.8) which is further compounded by the active involvement of Russian threat actor groups (APT 28) such as FROZENLAKE and Sofacy, showcasing a pointed interest in exploiting these vulnerabilities. Another Chinese-backed hacking group; Volt Typhoon, is also allegedly involved in network attacks against high-value networks.
Such vulnerabilities not only pose direct risks, but also give rise to broader supply chain attacks. Given that third-party file transfer services often handle corporate data, they inadvertently create expansive attack surfaces, making sensitive information more susceptible to breaches.
The consequences of these vulnerabilities have widespread implications across various sectors, affecting major financial institutions, educational institutions, governmental agencies, healthcare providers, insurance firms, and legal entities alike.
CYFIRMA’s research team has identified activity on underground forums, where unidentified hackers are selling exploits, targeting organizations affected by CVE-2024-21833 within TP-LINK products, encompassing vulnerabilities in the Archer and Deco series. The emerging concern is the potential for threat actors to develop and provide bespoke tools specifically designed to exploit router vulnerabilities in these instances. As the integration of IoT devices into our daily lives continues to rise, threat actors are increasingly motivated by financial gains and the potential to create chaos and see the opportunity to perpetrate attacks on these interconnected devices.
On a breached forum, an unknown threat actor, potentially associated with the Middle Eastern has shared a detailed, step-by-step method for compromising a nearby area, raising significant security concerns. It’s important to report this information to relevant cybersecurity authorities and take immediate steps to enhance security measures, including updating software, increasing user awareness, and collaborating with the broader cybersecurity community to mitigate potential risks.
Is there already an exploit tool to attack this vulnerability?
Based on the latest findings, there is currently no publicly available proof-of-concept (PoC) Vulnerability. However, it has come to our attention that discussions and potential sharing of the PoC have taken place in the telegram channel.
Has this vulnerability already been used in an attack?
Evidence from underground forums indicates active exploitation of the CVE-2024-21833 vulnerability.
Are hackers discussing this vulnerability in the Deep/Dark Web?
According to CYFIRMA’s observations, discussions or potential exploitation related to CVE-2024-21833 in the Deep/Dark Web have revealed the identification of more than 225.5k TP-link router devices globally. It is essential to maintain continuous monitoring of underground forums and channels to detect emerging discussions or potential threats.
What is the attack complexity level?
The attack complexity level for CVE-2023-21833 in TP-LINK products, including Archer and Deco series NVD is assessed as high.
Further analysis of the CVE-2024-21833 vulnerability in TP-LINK products, particularly the Archer and Deco series, reveals that the critical OS Command Injection flaw affects Archer AX3000 firmware versions before 1.1.2. The vulnerability stems from a lack of proper sanitization of the HTTP request method parameter during a write operation in the web management interface’s HTTP Request endpoint.
The specific technical details of the exploit involve the manipulation of the vulnerable HTTP Request parameter: attackers can craft specially-designed HTTP requests, incorporating malicious commands (in one instance, initiating the download of harmful content from a specified URL using the ‘wget’ command). This exploitation method grants the attackers root user privileges, potentially enabling a complete takeover of the router’s operating system.
The potential scale of the issue is significant, with a staggering 37,213 instances of TP-Link Archer devices, encompassing 20,114 unique IP addresses, publicly accessible and potentially vulnerable to this flaw. The exposed devices are susceptible to unauthorized access and control, jeopardizing the confidentiality, integrity, and availability of the routers.
The severity of successful exploitation cannot be understated. Attackers could carry out a range of malicious activities, including unauthorized configuration changes, interception of sensitive information transmitted through the router, and disruption of critical router functionalities. The impact extends beyond individual device compromise to potential network-wide ramifications.
Mitigation measures are crucial. Users are strongly advised to update their Archer AX3000 firmware to version 1.1.2 (or later) promptly. Network administrators should consider implementing network segmentation, isolating vulnerable devices from critical parts of the network. Additionally, configuring firewall rules to restrict access to vulnerable devices can serve as an additional protective layer.
As responsible disclosure is paramount, coordination with TP-LINK is recommended for the public release of information and the timely deployment of patches. Raising awareness among affected users and administrators about the vulnerability, its potential risks, and mitigation strategies is essential for a comprehensive response to this security threat.
Organizations should promptly apply the security updates provided by TP-LINK, especially for products such as the Archer and Deco series. Enhancing password practices, closely monitoring devices, and optimizing web application configurations are additional measures that can significantly strengthen protection against potential exploits. Swift action is essential to rapidly address and prevent the exploitation vulnerabilities.
Target Geography: Organizations actively deploying TP-Link devices within the affected versions may face potential risks due to CVE-2024-21833. The impact of this vulnerability is not constrained by geographic boundaries and extends to any region where TP-Link devices are utilized. As a result, organizations across various regions need to prioritize patching and implement robust mitigation strategies. By doing so, they can effectively fortify their systems and protect their data against the constantly evolving tactics employed by threat actors. Organizations must take proactive measures, regardless of their geographical location, to ensure the security and resilience of their network infrastructure.
Target Industry: The CVE-2024-21833 vulnerability present in TP-Link devices poses a widespread threat across various industries, including education, finance, banking, and others that heavily rely on these devices. This vulnerability allows for the execution of arbitrary OS commands, making it a serious concern for organizations utilizing TP-Link devices. Threat actors, armed with knowledge of this vulnerability, may strategically target industries based on the perceived value of the data or services managed by TP-Link servers. Entities dealing with sensitive information or those heavily reliant on the capabilities of TP-Link devices are particularly appealing targets.
To comprehensively assess the potential impact, organizations should consider the vulnerability’s implications across different geographic regions and industries. This evaluation is vital for understanding the nature of CVE-2024-21833 and determining the most effective mitigation measures. Staying well-informed through official channels, such as security advisories from relevant authorities or vendors, is crucial for obtaining the latest and most accurate information. Organizations are strongly advised to proactively address this vulnerability to safeguard their systems and data from potential exploitation by malicious actors.
The emergence of CVE-2024-21833 in TP-LINK’s Archer and Deco series firmware underscores the critical importance of proactive security measures: immediate implementation of security updates, reinforcement of password policies, the establishment of device monitoring, and optimization of web application configurations are essential to fortify defences against potential exploits. The primary focus should revolve around sustained vigilance, giving priority to rapid patch deployment and adopting comprehensive mitigation strategies to swiftly close vulnerability gaps and thwart attempts by malicious actors exploiting the system, ensuring a resilient and secure network infrastructure.
