News

Some TP-Link Routers Found Vulnerable To Exploits

Several TP-Link routers have been found to be vulnerable to webpage based DNS hijacking attacks. Worryingly the researcher who uncovered information about this vulnerability, Jacob Lell, has also found “an active exploitation campaign,” aimed at the affected TP-Link routers. Meanwhile TP-Link has released updated firmware for some but not all of its affected networking hardware.

There have been many router exploits before, however this newly reported TP-Link exploit looks more immediately serious as Mr Lell has found “five different instances of the exploit on unrelated websites so far”. An automated client honeypot system set up by Lell generated “some 280 GB of web traffic”. The five unrelated instances of the exploit he found tried to change the primary nameserver to three different IP addresses.

The affected TP-Link routers have something called a CSRF vulnerability. These routers allow access to their web-based administration page using HTTP authentication. “When entering the credentials to access the web interface, the browser typically asks the user whether he wants to permanently store the password in the browser. However, even if the user doesn’t want to permanently store the password in the browser, it will still temporarily remember the password and use it for the current session,” explains Lell.

If a user then visits a compromised site, like one of the five discovered so far, the site attempts to “change the upstream DNS server of the router to an attacker-controlled IP address, which can then be used to carry out man-in-the-middle attacks,” says Lell. After that DNS change web addresses typed in by the user can be easily redirected to phishing sites and similar places you wouldn’t ordinarilty want to visit. Also, among many other consequences, software updates can be blocked and email accounts hijacked.

The following devices are confirmed to be vulnerable:

  • TP-Link WR1043ND V1 up to firmware version 3.3.12 build 120405 is vulnerable (version 3.3.13 build 130325 and later is not vulnerable)
  • TP-Link TL-MR3020: firmware version 3.14.2 Build 120817 Rel.55520n and version 3.15.2 Build 130326 Rel.58517n are vulnerable (but not affected by current exploit in default configuration)
  • TL-WDR3600: firmware version 3.13.26 Build 130129 Rel.59449n and version 3.13.31 Build 130320 Rel.55761n are vulnerable (but not affected by current exploit in default configuration)
  • WR710N v1: 3.14.9 Build 130419 Rel.58371n is not vulnerable
  • Some other untested devices are also likely to be vulnerable

Thank you Hexus for providing us with this information
Image courtesy of Hexus

Gabriel Roşu

Disqus Comments Loading...
Share
Published by
Gabriel Roşu
Tags: dnsFirmwarehackIProuterTP-LinkVulnerabilitywireless
11 years ago

Recent Posts

Electronic Arts Titles Played for Over 11 Billion Hours in 2024

Electronic Arts (EA) announced today that its games were played for over 11 billion hours…

2 days ago

Just 15% of Steam Gaming Time in 2024 Was Spent on New Releases

Steam's annual end-of-year recap, Steam Replay, provides fascinating insights into gamer habits by comparing individual…

2 days ago

STALKER 2 Gets Massive 110GB Patch With 1800+ Fixes

GSC GameWorld released a major title update for STALKER 2 this seeking, bringing the game…

2 days ago

Intel Unveils Core 200H Processors Based on the Previous Raptor Lake Refresh

Without any formal announcement, Intel appears to have revealed its new Core 200H series processors…

3 days ago

Ubisoft Reportedly Developing a New Quadruple A Game

Ubisoft is not having the best of times, but despite recent flops, the company still…

3 days ago

STALKER 2: Heart of Chornobyl Update 1.1 Fixes 1,800 Issues and Revamps A-Life 2.0

If you haven’t started playing STALKER 2: Heart of Chornobyl yet, now might be the…

3 days ago