Headline
CVE-2023-40193: Multiple vulnerabilities in TP-Link products
Deco M4 firmware versions prior to ‘Deco M4(JP)_V2_1.5.8 Build 20230619’ allows a network-adjacent authenticated attacker to execute arbitrary OS commands.
Published:2023/08/21 Last Updated:2023/08/21
Overview
Multiple products provided by TP-LINK contain multiple vulnerabilities.
Products Affected
CVE-2023-31188、CVE-2023-32619
- Archer C50 firmware versions prior to “Archer C50(JP)_V3_230505”
- Archer C55 firmware versions prior to “Archer C55(JP)_V1_230506”
CVE-2023-36489
- TL-WR802N firmware versions prior to “TL-WR802N(JP)_V4_221008”
- TL-WR841N firmware versions prior to “TL-WR841N(JP)_V14_230506”
- TL-WR902AC firmware versions prior to “TL-WR902AC(JP)_V3_230506”
CVE-2023-31188、CVE-2023-37284
- Archer C20 firmware versions prior to “Archer C20(JP)_V1_230616”
CVE-2023-38563
- Archer C1200 firmware versions prior to “Archer C1200(JP)_V2_230508”
- Archer C9 firmware versions prior to “Archer C9(JP)_V3_230508”
CVE-2023-38568
- Archer A10 firmware versions prior to “Archer A10(JP)_V2_230504”
CVE-2023-38588
- Archer C3150 firmware versions prior to “Archer C3150(JP)_V2_230511”
CVE-2023-39224
- Archer C5 firmware all versions
- Archer C7 firmware versions prior to “Archer C7(JP)_V2_230602”
CVE-2023-39935
- Archer C5400 firmware versions prior to “Archer C5400(JP)_V2_230506”
CVE-2022-24355
- TL-WR940N firmware versions prior to “TL-WR940N(JP)_V6_201103”
CVE-2023-40193
- Deco M4 firmware versions prior to “Deco M4(JP)_V2_1.5.8 Build 20230619”
CVE-2023-40357
- Archer AX50 firmware versions prior to “Archer AX50(JP)_V1_230529”
- Archer A10 firmware versions prior to “Archer A10(JP)_V2_230504”
- Archer AX10 firmware versions prior to “Archer AX10(JP)_V1.2_230508”
- Archer AX11000 firmware versions prior to “Archer AX11000(JP)_V1_230523”
CVE-2023-40531
- Archer AX6000 firmware versions prior to “Archer AX6000(JP)_V1_1.3.0 Build 20221208”
Description
Multiple products provided by TP-LINK contain multiple vulnerabilities listed below.
OS command injection (CWE-78) - CVE-2023-31188
CVSS v3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.0
Use of hard-coded credentials (CWE-798) - CVE-2023-32619
CVSS v3
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.8
OS command injection (CWE-78) - CVE-2023-36489
CVSS v3
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.8
Improper authentication (CWE-287) - CVE-2023-37284
CVSS v3
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.8
OS command injection (CWE-78) - CVE-2023-38563
CVSS v3
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.8
OS command injection (CWE-78) - CVE-2023-38568
CVSS v3
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.8
OS command injection (CWE-78) - CVE-2023-38588
CVSS v3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.0
OS command injection (CWE-78) - CVE-2023-39224
CVSS v3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.0
OS command injection (CWE-78) - CVE-2023-39935
CVSS v3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.0
Stack-based buffer overflow (CWE-121) - CVE-2022-24355
CVSS v3
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.8
OS command injection (CWE-78) - CVE-2023-40193
CVSS v3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.0
OS command injection (CWE-78) - CVE-2023-40357
CVSS v3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.0
OS command injection (CWE-78) - CVE-2023-40531
CVSS v3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.0
Impact
The following attacks may be performed from the adjacent network:
- An arbitrary OS command may be executed by a logged-in user - CVE-2023-31188
- Hard-coded credentials may be used to login to the affected device, and an arbitrary OS command may be executed - CVE-2023-32619
- An arbitrary OS command may be executed via a crafted request to bypass authentication - CVE-2023-37284
- An arbitrary OS command may be executed - CVE-2023-36489, CVE-2023-38563, CVE-2023-38568
- A logged-in user may execute an arbitrary OS command - CVE-2023-38588, CVE-2023-39224, CVE-2023-39935, CVE-2023-40193, CVE-2023-40357, CVE-2023-40531
- An arbitrary code may be executed via a crafted request - CVE-2022-24355
Solution
Update the Firmware
For products other than Archer C5, update the firmware to the latest version according to the information provided by the developer.
According to the developer, support for the Archer C5 has already ended, so there are no plans to provide an update.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
Related news
Archer C1200 firmware versions prior to 'Archer C1200(JP)_V2_230508' and Archer C9 firmware versions prior to 'Archer C9(JP)_V3_230508' allow a network-adjacent unauthenticated attacker to execute arbitrary OS commands.
Multiple TP-LINK products allow a network-adjacent unauthenticated attacker to execute arbitrary OS commands. Affected products/versions are as follows: TL-WR802N firmware versions prior to 'TL-WR802N(JP)_V4_221008', TL-WR841N firmware versions prior to 'TL-WR841N(JP)_V14_230506', and TL-WR902AC firmware versions prior to 'TL-WR902AC(JP)_V3_230506'.
Multiple TP-LINK products allow a network-adjacent authenticated attacker to execute arbitrary OS commands. Affected products/versions are as follows: Archer AX50 firmware versions prior to 'Archer AX50(JP)_V1_230529', Archer A10 firmware versions prior to 'Archer A10(JP)_V2_230504', Archer AX10 firmware versions prior to 'Archer AX10(JP)_V1.2_230508', and Archer AX11000 firmware versions prior to 'Archer AX11000(JP)_V1_230523'.
Archer AX6000 firmware versions prior to 'Archer AX6000(JP)_V1_1.3.0 Build 20221208' allows a network-adjacent authenticated attacker to execute arbitrary OS commands.
Archer C3150 firmware versions prior to 'Archer C3150(JP)_V2_230511' allows a network-adjacent authenticated attacker to execute arbitrary OS commands.
Archer A10 firmware versions prior to 'Archer A10(JP)_V2_230504' allows a network-adjacent unauthenticated attacker to execute arbitrary OS commands.
Archer C50 firmware versions prior to 'Archer C50(JP)_V3_230505' and Archer C55 firmware versions prior to 'Archer C55(JP)_V1_230506' use hard-coded credentials to login to the affected device, which may allow a network-adjacent unauthenticated attacker to execute an arbitrary OS command.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.