Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-40193: Multiple vulnerabilities in TP-Link products

Deco M4 firmware versions prior to ‘Deco M4(JP)_V2_1.5.8 Build 20230619’ allows a network-adjacent authenticated attacker to execute arbitrary OS commands.

CVE
#vulnerability#buffer_overflow#hard_coded_credentials#auth

Published:2023/08/21 Last Updated:2023/08/21

Overview

Multiple products provided by TP-LINK contain multiple vulnerabilities.

Products Affected

CVE-2023-31188、CVE-2023-32619

  • Archer C50 firmware versions prior to “Archer C50(JP)_V3_230505”
  • Archer C55 firmware versions prior to “Archer C55(JP)_V1_230506”

CVE-2023-36489

  • TL-WR802N firmware versions prior to “TL-WR802N(JP)_V4_221008”
  • TL-WR841N firmware versions prior to “TL-WR841N(JP)_V14_230506”
  • TL-WR902AC firmware versions prior to “TL-WR902AC(JP)_V3_230506”

CVE-2023-31188、CVE-2023-37284

  • Archer C20 firmware versions prior to “Archer C20(JP)_V1_230616”

CVE-2023-38563

  • Archer C1200 firmware versions prior to “Archer C1200(JP)_V2_230508”
  • Archer C9 firmware versions prior to “Archer C9(JP)_V3_230508”

CVE-2023-38568

  • Archer A10 firmware versions prior to “Archer A10(JP)_V2_230504”

CVE-2023-38588

  • Archer C3150 firmware versions prior to “Archer C3150(JP)_V2_230511”

CVE-2023-39224

  • Archer C5 firmware all versions
  • Archer C7 firmware versions prior to “Archer C7(JP)_V2_230602”

CVE-2023-39935

  • Archer C5400 firmware versions prior to “Archer C5400(JP)_V2_230506”

CVE-2022-24355

  • TL-WR940N firmware versions prior to “TL-WR940N(JP)_V6_201103”

CVE-2023-40193

  • Deco M4 firmware versions prior to “Deco M4(JP)_V2_1.5.8 Build 20230619”

CVE-2023-40357

  • Archer AX50 firmware versions prior to “Archer AX50(JP)_V1_230529”
  • Archer A10 firmware versions prior to “Archer A10(JP)_V2_230504”
  • Archer AX10 firmware versions prior to “Archer AX10(JP)_V1.2_230508”
  • Archer AX11000 firmware versions prior to “Archer AX11000(JP)_V1_230523”

CVE-2023-40531

  • Archer AX6000 firmware versions prior to “Archer AX6000(JP)_V1_1.3.0 Build 20221208”

Description

Multiple products provided by TP-LINK contain multiple vulnerabilities listed below.

  • OS command injection (CWE-78) - CVE-2023-31188

    CVSS v3

    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Base Score: 8.0

  • Use of hard-coded credentials (CWE-798) - CVE-2023-32619

    CVSS v3

    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Base Score: 8.8

  • OS command injection (CWE-78) - CVE-2023-36489

    CVSS v3

    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Base Score: 8.8

  • Improper authentication (CWE-287) - CVE-2023-37284

    CVSS v3

    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Base Score: 8.8

  • OS command injection (CWE-78) - CVE-2023-38563

    CVSS v3

    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Base Score: 8.8

  • OS command injection (CWE-78) - CVE-2023-38568

    CVSS v3

    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Base Score: 8.8

  • OS command injection (CWE-78) - CVE-2023-38588

    CVSS v3

    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Base Score: 8.0

  • OS command injection (CWE-78) - CVE-2023-39224

    CVSS v3

    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Base Score: 8.0

  • OS command injection (CWE-78) - CVE-2023-39935

    CVSS v3

    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Base Score: 8.0

  • Stack-based buffer overflow (CWE-121) - CVE-2022-24355

    CVSS v3

    CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Base Score: 8.8

  • OS command injection (CWE-78) - CVE-2023-40193

    CVSS v3

    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Base Score: 8.0

  • OS command injection (CWE-78) - CVE-2023-40357

    CVSS v3

    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Base Score: 8.0

  • OS command injection (CWE-78) - CVE-2023-40531

    CVSS v3

    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Base Score: 8.0

Impact

The following attacks may be performed from the adjacent network:

  • An arbitrary OS command may be executed by a logged-in user - CVE-2023-31188
  • Hard-coded credentials may be used to login to the affected device, and an arbitrary OS command may be executed - CVE-2023-32619
  • An arbitrary OS command may be executed via a crafted request to bypass authentication - CVE-2023-37284
  • An arbitrary OS command may be executed - CVE-2023-36489, CVE-2023-38563, CVE-2023-38568
  • A logged-in user may execute an arbitrary OS command - CVE-2023-38588, CVE-2023-39224, CVE-2023-39935, CVE-2023-40193, CVE-2023-40357, CVE-2023-40531
  • An arbitrary code may be executed via a crafted request - CVE-2022-24355

Solution

Update the Firmware
For products other than Archer C5, update the firmware to the latest version according to the information provided by the developer.

According to the developer, support for the Archer C5 has already ended, so there are no plans to provide an update.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

Related news

CVE-2023-38563: Archer C9 のコンテンツ | TP-Link 日本

Archer C1200 firmware versions prior to 'Archer C1200(JP)_V2_230508' and Archer C9 firmware versions prior to 'Archer C9(JP)_V3_230508' allow a network-adjacent unauthenticated attacker to execute arbitrary OS commands.

CVE-2023-36489: TL-WR902AC のコンテンツ | TP-Link 日本

Multiple TP-LINK products allow a network-adjacent unauthenticated attacker to execute arbitrary OS commands. Affected products/versions are as follows: TL-WR802N firmware versions prior to 'TL-WR802N(JP)_V4_221008', TL-WR841N firmware versions prior to 'TL-WR841N(JP)_V14_230506', and TL-WR902AC firmware versions prior to 'TL-WR902AC(JP)_V3_230506'.

CVE-2023-40357: Archer AX11000 のコンテンツ | TP-Link 日本

Multiple TP-LINK products allow a network-adjacent authenticated attacker to execute arbitrary OS commands. Affected products/versions are as follows: Archer AX50 firmware versions prior to 'Archer AX50(JP)_V1_230529', Archer A10 firmware versions prior to 'Archer A10(JP)_V2_230504', Archer AX10 firmware versions prior to 'Archer AX10(JP)_V1.2_230508', and Archer AX11000 firmware versions prior to 'Archer AX11000(JP)_V1_230523'.

CVE-2023-40531: Archer AX6000 のコンテンツ | TP-Link 日本

Archer AX6000 firmware versions prior to 'Archer AX6000(JP)_V1_1.3.0 Build 20221208' allows a network-adjacent authenticated attacker to execute arbitrary OS commands.

CVE-2023-38588: Archer C3150 のコンテンツ | TP-Link 日本

Archer C3150 firmware versions prior to 'Archer C3150(JP)_V2_230511' allows a network-adjacent authenticated attacker to execute arbitrary OS commands.

CVE-2023-38568: Archer A10 のコンテンツ | TP-Link 日本

Archer A10 firmware versions prior to 'Archer A10(JP)_V2_230504' allows a network-adjacent unauthenticated attacker to execute arbitrary OS commands.

CVE-2023-32619: Archer C50 のコンテンツ | TP-Link 日本

Archer C50 firmware versions prior to 'Archer C50(JP)_V3_230505' and Archer C55 firmware versions prior to 'Archer C55(JP)_V1_230506' use hard-coded credentials to login to the affected device, which may allow a network-adjacent unauthenticated attacker to execute an arbitrary OS command.

CVE-2022-36957: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-38108: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907