A denial-of-service attack in WPA2, and WPA3-SAE authentication methods in TP-Link AX10v1 before V1_211014, allows a remote unauthenticated attacker to disconnect an already connected wireless client via sending with a wireless adapter specific spoofed authentication frames

**Setup Video**

*   **How to Set up Address Reservation on TP-Link Routers Windows**
    
    This video will show you how to set up Address Reservation on TP-Link routers.
    
    Learn More
    
*   **How to Set up OpenVPN on TP-Link Routers Windows**
    
    This video will show you how to set up OpenVPN on a TP-Link Wi-Fi router. For more information, visit www.tp-link.com/support.
    
    Learn More
    
*   **How to setup PPTP VPN on TP Link routers Windows**
    
    This video will show you how to set up PPTP VPN on a TP-Link Wi-Fi router. For more information, visit www.tp-link.com/support
    
    Learn More
    
*   **How to Setup A TP-Link WiFi 6 Router**
    
    This setup guide will show you how quickly and easily you can setup your new TP-Link WiFi 6 router.
    
    Learn More
    
*   **What should I do if I cannot access the internet? - Using a DSL modem and a TP-Link router**
    
    If you can’t access the internet using a DSL modem and TP-Link router, this video can help you solve the problem.
    
    Learn More
    
*   **What should I do if I cannot access the internet? - Using a cable modem and a TP-Link router**
    
    If you can’t access the internet using a cable modem and TP-Link router, follow this video step by step to solve your problem.
    
    Learn More
    
*   **TP Link Archer AX Series Unboxing and Setup (for Archer AX10, etc.)**

**Firmware**

A firmware update can resolve issues that the previous firmware version may have and improve its current performance.

**To Upgrade**

**IMPORTANT:** To prevent upgrade failures, please read the following before proceeding with the upgrade process

*   **Please upgrade firmware from the local TP-Link official website of the purchase location for your TP-Link device, otherwise it will be against the warranty. Please click here to change site if necessary.**
*   Please verify the hardware version of your device for the firmware version. Wrong firmware upgrade may damage your device and void the warranty. (**Normally Vx.0=Vx.6/Vx.8 (eg:V1.0=V1.6/V1.8);   Vx.x0=Vx.x6/Vx.x8 (eg:V1.20=V1.26/V1.28)**  
    How to find the hardware version on a TP-Link device?
*   **Do NOT turn off the power during the upgrade process, as it may cause permanent damage to the product.**
*   To avoid wireless disconnect issue during firmware upgrade process, it's recommended to upload firmware with wired connection unless there is no LAN/Ethernet port on your TP-Link device.
*   It's recommended that users stop all Internet applications on the computer, or simply disconnect Internet line from the device before the upgrade.
*   Use decompression software such as WinZIP or WinRAR to extract the file you download before the upgrade.

Archer AX10(US)\_V1\_211117

Download

**Important Notice**

Please upgrade firmware/software from the local TP-Link official website of the purchase location for your TP-Link device, otherwise it may cause upgrade failure or mistakes and be against the warranty.

Still Download  Go to Local Website

Published Date: 2021-11-30

Language: English

File Size: 15.66 MB

Release Note:  
Bug Fixed:  
1\. Fixed some GDPR Encryption vulnerabilities;  
2\. Fixed abnormal DHCP lease renewal;  
3\. Fixed HTTP smuggling attack vulnerability;  
4\. Fixed HTTP/0.9 request vulnerability.

Archer AX10(US)\_V1\_211014

Download

**Important Notice**

Please upgrade firmware/software from the local TP-Link official website of the purchase location for your TP-Link device, otherwise it may cause upgrade failure or mistakes and be against the warranty.

Still Download  Go to Local Website

Published Date: 2021-11-17

Language: Multi-language

File Size: 15.66 MB

New Features/Enhancement:  
1.Optimized VPN Server feature;  
2.Updated dropbear version and changed the dropbear port;  
3.Updated openssl version;  
4.Improved the stability of OneMesh feature;  
5.Improved the wireless stability.

Bug Fixed:  
1.Fixed the bugs on the Web UI;  
2.Fixed security vulnerabilities;  
3.Fixed the bugs related to dnsmasq;  
4.Fixed the bug that the router can't get WAN IP in some cases;  
5.Fixed the bug related to DMZ;  
6.Fixed the bugs related to AP mode;  
7.Fixed the bug that QoS can't work in some cases;  
8.Fixed the bugs on Tether App;  
9.Fixed WPA3-SAE DOS attack vulnerability;  
10.Fixed the bugs related to WPS.

Archer AX10(US)\_V1\_210809

Download

Published Date: 2021-09-15

Language: Multi-language

File Size: 15.67 MB

New Features/Enhancement:  
1.Added IPv6 firewall feature;  
2.Added IPv6 Parent Control feature;  
3.Optimized QoS feature.

Bug Fixed:  
1.Fixed the bug related to IPTV;  
2.Fixed the bug that OpenVPN client can't use UDP in some cases;  
3.Fixed the bug that the router will keep rebooting itself in some cases.

**To Use Third Party Firmware In TP-Link Products**

Some official firmware of TP-Link products can be replaced by the third party firmware such as DD-WRT. TP-Link is not obligated to provide any maintenance or support for it, and does not guarantee the performance and stability of third party firmware. Damage to the product as a result of using third party firmware will void the product's warranty.

**Open Source Code For Programmers (GPL)**

Please note: The products of TP-Link partly contain software code developed by third parties, including software code subject to the GNU General Public Licence (“GPL“), Version 1/Version 2/Version 3 or GNU Lesser General Public License ("LGPL"). You may use the respective software condition to following the GPL licence terms.

You can review, print and download the respective GPL licence terms here. You receive the GPL source codes of the respective software used in TP-Link products for direct download and further information, including a list of TP-Link software that contain GPL software code under GPL Code Center.

The respective programs are distributed WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the respective GNU General Public License for more details.

**Apps**

![](https://static.tp-link.com/res/style/images/tp-link-tether.png)

TP-Link Tether

TP-Link Tether provides the easiest way to access and manage your network with your iOS or Android devices. Learn more about TP-Link Tether and Compatible Devices

![](https://static.tp-link.com/res/images/qrcode/app-tether.png)

*   
*   

Note: To use Tether, please update your router’s firmware to the latest version.

**Emulators**

Firmware Version

Working Mode

Language

190321(US)

\-

English

Browse

**Note:**

1\.  The emulator is a virtual web GUI where you can experience the TP-Link product management panel.

2\. The listed emulators might not have the latest firmware.

3\.  The features displayed are for reference, and their availability may depend on local regulations. For more information, please refer to the datasheet or product page.

CVE-2021-40288: Download for  Archer AX10 | TP-Link

Maharashtra State Electricity Board Mahavitara Android Application 8.20 and prior is vulnerable to remote account takeover due to OTP fixation vulnerability in password rest function

**Vulnerable Software:** Maharashtra State Electricity Board Android Application

**Vulnerability:** Clear-text password storage

**Affected Version:** 7.50 and prior

**Patched:** Yes

**Vendor Homepage:** https://www.mahadiscom.in/en/home/

**App store link:** https://play.google.com/store/apps/details?id=com.msedcl.app&hl=en\_IN&gl=US

**CVE:** CVE-2020-27413

**CVE Author:** Tejas Nitin Pingulkar

**Exploit Available:** POC Available

**About Affected Software**

The Official App for Consumer by Mahavitaran ( M.S.E.D.C.L.). Mahavitaran Consumer App enables consumers to avail Mahavitaran services at his/her fingertips. The app is simple and easy to use. It provides transparency in delivering services to consumers.

►Features :

\*View and Pay bill  
\*Register and Track complaints  
\*View Bill and Payment history  
\*Manage Multiple Electricity Connections  
\*Contact 24 x7 MSEDCL Call Center  
\*Apply for New Connection  
\* Know the status of New Connection Application and Pay Estimate Charges  
\*Submit Meter Reading to avoid average billing  
\*Provide Feedback about Mahavitaran Services  
\*Update Contact Details ( Mobile Number & E-mail ID ) of consumer  
\*Find MSEDCL offices and collection centers near you  
\*Estimate your monthly electricity consumption and bill amount  
\*Get Information about the Feeder from where the power supply is provided to your connection  
\*Apply for the change of name  
\*Submit an application for addition/reduction in load

**Exploit**

Authentication bypass using OTP Fixation  
OTP reset functions uses id field  
An attacker can manipulate OTP ID field as each OTP id has fixed OTP code  
Let’s generate OTP for password reset  
Now as demonstrated in Video POC below OTP ID is 7310828 and Correct OTP for this id is 565449  
Now we know that for OTP ID 7310828 Correct OTP is 565449 hence we can use same OTP ID and OTP pair to reset any user account and take full control.  

**Proof Of Concept**

CVE-2021-41716: Account take over via OTP Fixation – CVEWalkthrough

A missing bounds check in image blurring code prior to WhatsApp for Android v2.21.22.7 and WhatsApp Business for Android v2.21.22.7 could have allowed an out-of-bounds write if a user sent a malicious image.

...

**Controlling Cookies with Browser Settings**

Your browser or device may offer settings that allow you to choose whether browser cookies are set and to delete them.  
These controls vary by browser, and manufacturers may change both the settings they make available and how they work at any time.  
Additional information about the controls offered by popular browsers can be found at the links below.  
Certain parts of WhatsApp Products may not work properly if you have disabled browser cookies.

Google Chrome  
Internet Explorer  
Firefox  
Safari  
Safari Mobile  
Opera

CVE-2021-24041: WhatsApp Security Advisories

There is an Improper access control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.

HUAWEI is releasing monthly security updates for flagship models. This security update includes Android and HUAWEI patches:

This security update includes the CVE announced in the Android security bulletin.

Critical: CVE-2021-1976, CVE-2021-1972

High: CVE-2021-0591, CVE-2021-0593, CVE-2021-0640, CVE-2021-0641, CVE-2021-0642, CVE-2021-0646, CVE-2021-0584, CVE-2021-1939, CVE-2021-1947, CVE-2021-1904, CVE-2021-1978, CVE-2021-0579, CVE-2021-0580, CVE-2021-0581, CVE-2021-0582, CVE-2021-0578

Medium: none

Low: none

Already included in previous updates: CVE-2019-9239, CVE-2019-9238, CVE-2019-9309, CVE-2021-1965, CVE-2021-1943, CVE-2021-1945, CVE-2021-1954, CVE-2021-1964

※For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-22450: Memory leaks in some HUAWEI devices due to exceptions when freeing memory

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability will exhaust system memory resources and cause the device to restart.

CVE-2021-22323: Memory leaks and out-of-bounds access vulnerabilities in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of these vulnerabilities may escalate the permission to that of the root user.

CVE-2021-37051: Out-of-bounds read vulnerability in some HUAWEI phones

Severity: Medium

Affected versions: EMUI 11.0.0, EMUI 10.1.1, Magic UI 4.0.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may cause out-of-bounds memory access.

CVE-2021-37050: Missing sensitive data encryption vulnerability in some HUAWEI phones

Severity: High

Affected versions: EMUI 11.0.0, EMUI 10.1.1, Magic UI 4.0.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2021-37049: Heap-based buffer overflow vulnerability in some HUAWEI phones

Severity: Medium

Affected versions: EMUI 11.0.0, EMUI 10.1.1, Magic UI 4.0.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may rewrite the memory of adjacent objects.

CVE-2021-37047: Input verification vulnerability in some HUAWEI phones

Severity: Low

Affected versions: EMUI 11.0.0, EMUI 10.1.1, Magic UI 4.0.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may cause some services to restart.

CVE-2021-37046: Memory leak vulnerability with the codec detection module in some HUAWEI devices

Severity: Medium

Affected versions: EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may cause the device to restart due to memory exhaustion.

CVE-2021-37045: UAF vulnerability in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.1.0, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may cause the device to restart unexpectedly and the kernel-mode code to be executed.

CVE-2021-37044: Permission control vulnerability in some HUAWEI devices

Severity: Medium

Affected versions: EMUI 11.0.0, EMUI 10.1.1, Magic UI 4.0.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2021-37040: Parameter injection vulnerability in some HUAWEI phones

Severity: Medium

Affected versions: EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may cause privilege escalation of files after CIFS share mounting.

CVE-2021-37039: Input verification vulnerability in some HUAWEI phones

Severity: Medium

Affected versions: EMUI 11.0.0, EMUI 10.1.1, Magic UI 4.0.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may cause Bluetooth DoS.

CVE-2021-37038: Improper access control vulnerability in some HUAWEI devices

Severity: Medium

Affected versions: EMUI 10.1.1, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2021-37037: Invalid address access vulnerability in some HUAWEI devices

Severity: Medium

Affected versions: EMUI 11.0.0, EMUI 10.1.1, Magic UI 4.0.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may cause the device to restart.

CVE-2021-37027: DoS vulnerability in some HUAWEI devices

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 3.1.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability may affect service integrity.

CVE-2021-37013: Permission control vulnerability with the setHdbKey API in HwPackageManagerServiceEx in some EMUI devices

Severity: Low

Affected versions: EMUI 11.0.0, EMUI 10.1.1, Magic UI 4.0.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2021-37009: Multi-user settings vulnerability in the system components of some HUAWEI devices

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2021-37000: Improper permission management vulnerability in some HUAWEI phones

Severity: High

Affected versions: EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2021-36987: Nodes in the linked list being freed for multiple times in some HUAWEI devices due to race conditions

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability can cause the system to restart.

CVE-2021-3506: Out-of-bounds operation vulnerability after rooting in some HUAWEI phones

Severity: High

Affected versions: EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may affect service stability and integrity.

CVE-2021-33909: Privilege escalation vulnerability in the file system components of some HUAWEI devices

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2021-22486: Unstandardized field names in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2021-37052: Exception log vulnerability in some HUAWEI phones

Severity: High

Affected versions: EMUI 11.0.0, EMUI 10.1.1, Magic UI 4.0.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may cause address information leakage.

CVE-2021-22437: Software integer overflow leading to a TOCTOU condition in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may cause random address access.

CVE-2021-22436: Logic bypass vulnerability in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability may affect service integrity and availability.

CVE-2021-22435: Logic bypass vulnerability in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality, availability, and integrity.

CVE-2021-22434: Memory address out of bounds vulnerability in some HUAWEI phones

Severity: Medium

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may cause malicious code to be executed.

CVE-2021-22432: Vulnerability when configuring permission isolation in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may cause out-of-bounds access.

CVE-2021-22431: Vulnerability when configuring permission isolation in some HUAWEI phones

Severity: Medium

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may cause out-of-bounds access.

CVE-2021-22425: Nodes in the linked list being freed for multiple times in some HUAWEI devices due to race conditions

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability can cause the system to restart.

CVE-2021-22423: Integer overflow vulnerability with the Always On Display (AOD) driver in some HUAWEI devices

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may escalate the permission to that of the root user.

CVE-2021-22422: Integer overflow vulnerability with the Always On Display (AOD) driver in some HUAWEI devices

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may escalate the permission to that of the root user.

CVE-2021-22418: Integer overflow vulnerability with the Always On Display (AOD) driver in some HUAWEI devices

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may escalate the permission to that of the root user.

CVE-2021-22376: Logic bypass vulnerability in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality, availability, and integrity.

CVE-2021-22372: Logic bypass vulnerability in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2021-22371: Allowing arbitrary capture of call stacks in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2021-22370: Improper verification vulnerability in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2021-22369: Memory leaks and out-of-bounds access vulnerabilities in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of these vulnerabilities may escalate the permission to that of the root user.

CVE-2021-22368: Access control vulnerability in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.0.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect normal use of the device.

CVE-2021-22346: Improper permission management vulnerability in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability may lead to the disclosure of user habits.

CVE-2021-22343: Logic bypass vulnerability in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability may affect service integrity and availability.

CVE-2021-22334: Malicious Wi-Fi construction vulnerability in some HUAWEI phones

Severity: Medium

Affected versions: EMUI 10.1.0, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may cause app redirections.

CVE-2021-22325: Video streaming vulnerability in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may result in video streams being intercepted during wired projections.

CVE-2021-37054: Identity spoofing and authentication bypass vulnerability in some HUAWEI phones

Severity: Medium

Affected versions: EMUI 10.1.1, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2021-37055: Logic bypass vulnerability in some HUAWEI devices

Severity: Medium

Affected versions: EMUI 11.0.0, EMUI 10.1.1, Magic UI 4.0.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may allow attempts to obtain certain device information.

CVE-2021-22322: Logic bypass vulnerability in some HUAWEI phones

Severity: High

Affected versions: EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2021-37038: September

An issue was discovered in Mahavitaran android application 7.50 and below, allows local attackers to read cleartext username and password while the user is logged into the application.

**Mahavitaran Services now at your Fingertips**

The Official App for Consumer by Mahavitaran ( M.S.E.D.C.L.). Mahavitaran Consumer App enables consumers to avail Mahavitaran services at his/her fingertips. The app is simple and easy to use. It provides transparency in delivering services to consumers.

►Features :

\*View and Pay bill  
\*Register and Track complaints  
\*View Bill and Payment history  
\*Manage Multiple Electricity Connections  
\*Contact 24 x7 MSEDCL Call Center  
\*Apply for New Connection  
\* Know the status of New Connection Application and Pay Estimate Charges  
\*Submit Meter Reading to avoid average billing  
\*Provide Feedback about Mahavitaran Services  
\*Update Contact Details ( Mobile Number & E-mail ID ) of consumer  
\*Find MSEDCL offices and collection centers near you  
\*Estimate your monthly electricity consumption and bill amount  
\*Get Information about the Feeder from where the power supply is provided to your connection  
\*Apply for the change of name  
\*Submit an application for addition/reduction in load

►Functionalities available in Mobile App :

1.Apply for new connection : Apply for New Electricity Connection in just 4 steps

2.Track New Connection Request : Status of New Connection application can be tracked using unique Application Id and estimate charges can be paid

3.Submit Reading : Submit own meter reading along with meter photo to avoid average billing, after receipt of SMS from Mahavitaran. Mahavitaran will send SMS, if meter reading is not made available by meter reader

4.Feedback: Submit ratings of Mahavitaran services in the scale of 1 to 5, where 5 means Outstanding and 1 means poor service

5.View/Pay Bill: View and Pay Electricity Bills using different payment options like  
a.Net banking  
b.Debit Card  
c.Credit Card  
d.Cash Cards  
e.Mobile Wallets  
f.Paytm

6.Update Contact details: Update Mobile Number,E-Mail ID & AadharCard No. of consumer

7.Register & Track Complaint: Register & Track Power Failure and Billing Complaints etc

8.History: View Electricity Bill history and Payments history

9.Add & Remove connection: Manage multiple electricity connections from registered account.

10.Customer Care: Call 24\*7 MSEDCL Call Center

11.Nearest Locations : Find MSEDCL offices and collection centers near you

12.Estimate consumption and bill amount : Estimate consumption in KWH by providing details about usage of appliances. Also, know the approx. monthly bill amount for that estimate.

13.Get Information about the Feeder : Feeder is a line which transfers power to the consumer through a transformer. Know technical details about this feeder and outages planned in the future, if any.

14.Report Power Theft : Inform any suspected electricity theft activity in your area

15.Apply for change of name: Submit application for changing the registered name of electricity connection

16.Add/Reduce Load: Submit application for increasing/decreasing the load of electricity connection

►Other Features :  
1.Consumer Registration: Sign up to Mahavitaran Consumer portal through mobile app

2.Guest Login: View and Pay Electricity Bills without signing up

3.App is available in English as well as Marathi Language

4.Forgot Login Name / Password: Recover forgotten account details

►For using Mahavitaran Mobile App, all you need :  
• A smart phone with Android Operating System (OS 4.0 or above).  
• Internet connectivity like GPRS/EDGE/3G/Wi-Fi/4G etc.

\[ Note: For queries related to your online mobile payment transactions, please email to helpdesk\_pg@mahadiscom.in\]

For feedback & suggestions about this app, kindly email us at msedclapp@mahadiscom.in

CVE-2020-27413: Mahavitaran - Apps on Google Play

The Photo Gallery by 10Web WordPress plugin before 1.5.68 is vulnerable to Reflected Cross-Site Scripting (XSS) issues via the bwg_album_breadcrumb_0 and shortcode_id GET parameters passed to the bwg_frontend_data AJAX action

CVE-2021-25041: Changeset 2467205 – WordPress Plugin Repository

An issue was discovered in the eGeeTouch 3rd Generation Travel Padlock application for Android. The lock sends a pairing code before each operation (lock or unlock) activated via the companion app. The code is sent unencrypted, allowing any attacker with the same app (either Android or iOS) to add the lock and take complete control. For successful exploitation, the attacker must be able to touch the lock's power button, and must be able to capture BLE network communication.

IoT security devices, such as smart padlocks, need to perform at least as well as their non-smart counterparts if consumer trust is to be gained. Unfortunately, many such devices are fundamentally flawed, with poor design meaning they are simple to subvert. Once such device is the eGeeTouch 3rd Generation Travel Padlock.

The eGeeTouch 3rd Generation Travel Padlock

Available in the UK for £19.90 from Amazon, the lock boasts a number of features, including Bluetooth operation via the companion smartphone app, RFID tag support, and a TSA manual override. So far, so good. However, digging deeper, it is clear that the device should be used with extreme caution. Access to the device is handled via a password set in the app:

eGeeTouch app – password management screen

This password is required when initially pairing the lock with the app; without that the two can’t talk to each other. Setting the password to **080379**, we can then look to see how the lock communicates with the app, and vice versa. To do so, we can use btlejack, a Python tool that leverages the Bluetooth LE chipset in the BBC micro:bit development board to hijack the connection and dump the output to a Wireshark format dump file (download it here). Looking at output from a successfully captured session, we can see the following in packet 78:

Authentication capture

The capture indicates a write to the **0xfff8** attribute of the letter **a** plus our secret code, **080379**. The lock then replies with a range of other information, for example the Model Number in packet 89 :

eGeeTouch model number

and the firmware revision in packet 92:

eGeeTouch Firmware

Triggering an unlock event via the app sends the following (packet 95):

Unlock event

whilst a lock event sends the following (packet 101):

Lock event

It seems clear therefore that the operation of the lock, at least via the companion app, is controlled by these three commands; an initial authentication, followed by the relevant lock or unlock code. All three use the “secret” code that was set in the app. How much access can we get knowing that?

The app is currently logged in using the following account:

User account

Let’s then log out and try signing up with a brand new account:

Attacker account

Logging in, we can see that no devices are currently registered:

No devices registered

Clicking the Add Lock button brings up the following:

Lock choice screen

Select the correct device and we are asked for the pairing password. Enter that and:

Success!

The user now has full admin rights over the lock, including, crucially, the ability to change the pairing password and so lock the legitimate owner out. No notification is provided to the original user that their password has been used on another account, so they are none the wiser that the lock is compromised.

The exploit relies on the attacker having the ability to capture the data flowing between the device and the companion app. There are a number of different ways of doing this in addition to the btlejack method; for example, the image below identifies the same back and forward communication as in the PCAP, though in this case it was captured using the Gattacker tool:

Gattacker output

The attack does require a small amount of contact with the device, amounting to a push of the power button on the side of the lock. In a busy environment such as a railway station or airport it is not an impossible obstacle to surmount. In short, the eGeeTouch Travel Padlock should be passed over if you are looking for a reliably secure device.

I will be returning to this lock in a later post, as there are a number of other serious issues that greatly impact its desirability as a consumer product.

CVE-2021-44518: The eGeeTouch TSA Smart Lock is Anything But – Ash Allen – Security

IoT security devices, such as smart padlocks, need to perform at least as well as their non-smart counterparts if consumer trust is to be gained. Unfortunately, many such devices are fundamentally flawed, with poor design meaning they are simple to subvert. Once such device is the eGeeTouch 3rd Generation Travel Padlock.

![](https://ashallen.net/wp-content/uploads/2021/12/travel-padlock-0.jpg)

The eGeeTouch 3rd Generation Travel Padlock

Available in the UK for £19.90 from Amazon, the lock boasts a number of features, including Bluetooth operation via the companion smartphone app, RFID tag support, and a TSA manual override. So far, so good. However, digging deeper, it is clear that the device should be used with extreme caution. Access to the device is handled via a password set in the app:

![](https://ashallen.net/wp-content/uploads/2021/12/Screenshot-2021-12-02-at-14.10.14-002-576x1024.jpg)

eGeeTouch app – password management screen

This password is required when initially pairing the lock with the app; without that the two can’t talk to each other. Setting the password to **080379**, we can then look to see how the lock communicates with the app, and vice versa. To do so, we can use btlejack, a Python tool that leverages the Bluetooth LE chipset in the BBC micro:bit development board to hijack the connection and dump the output to a Wireshark format dump file (download it here). Looking at output from a successfully captured session, we can see the following in packet 78:

![](https://ashallen.net/wp-content/uploads/2021/12/auth.png)

Authentication capture

The capture indicates a write to the **0xfff8** attribute of the letter **a** plus our secret code, **080379**. The lock then replies with a range of other information, for example the Model Number in packet 89 :

![](https://ashallen.net/wp-content/uploads/2021/12/model.png)

eGeeTouch model number

and the firmware revision in packet 92:

![](https://ashallen.net/wp-content/uploads/2021/12/firmware.png)

eGeeTouch Firmware

Triggering an unlock event via the app sends the following (packet 95):

![](https://ashallen.net/wp-content/uploads/2021/12/unlock.png)

Unlock event

whilst a lock event sends the following (packet 101):

![](https://ashallen.net/wp-content/uploads/2021/12/lock.png)

Lock event

It seems clear therefore that the operation of the lock, at least via the companion app, is controlled by these three commands; an initial authentication, followed by the relevant lock or unlock code. All three use the “secret” code that was set in the app. How much access can we get knowing that?

The app is currently logged in using the following account:

![](https://ashallen.net/wp-content/uploads/2021/12/Screenshot-2021-12-02-at-15.39.50-576x1024.jpg)

User account

Let’s then log out and try signing up with a brand new account:

![](https://ashallen.net/wp-content/uploads/2021/12/IMG_5274-576x1024.png)

Attacker account

Logging in, we can see that no devices are currently registered:

![](https://ashallen.net/wp-content/uploads/2021/12/IMG_5271-576x1024.png)

No devices registered

Clicking the Add Lock button brings up the following:

![](https://ashallen.net/wp-content/uploads/2021/12/IMG_5272-576x1024.png)

Lock choice screen

Select the correct device and we are asked for the pairing password. Enter that and:

![](https://ashallen.net/wp-content/uploads/2021/12/IMG_5273-576x1024.png)

Success!

The user now has full admin rights over the lock, including, crucially, the ability to change the pairing password and so lock the legitimate owner out. No notification is provided to the original user that their password has been used on another account, so they are none the wiser that the lock is compromised.

The exploit relies on the attacker having the ability to capture the data flowing between the device and the companion app. There are a number of different ways of doing this in addition to the btlejack method; for example, the image below identifies the same back and forward communication as in the PCAP, though in this case it was captured using the Gattacker tool:

![](https://ashallen.net/wp-content/uploads/2021/12/gattacker-1024x711.png)

Gattacker output

The attack does require a small amount of contact with the device, amounting to a push of the power button on the side of the lock. In a busy environment such as a railway station or airport it is not an impossible obstacle to surmount. In short, the eGeeTouch Travel Padlock should be passed over if you are looking for a reliably secure device.

I will be returning to this lock in a later post, as there are a number of other serious issues that greatly impact its desirability as a consumer product.

Mahavitaran android application 7.50 and prior transmit sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header, MITM or browser history.

**Vulnerable Software:** Maharashtra State Electricity Board Android Application

**Vulnerability:** Insecure Communication of sensitive data

**Affected Version:** 7.50 and prior

**Patched:** Yes

**Vendor Homepage:** https://www.mahadiscom.in/en/home/

**App store link:** https://play.google.com/store/apps/details?id=com.msedcl.app&hl=en\_IN&gl=US

**CVE:** CVE-2020-27414

**CVE Author:** Tejas Nitin Pingulkar

**Exploit Available:** POC Available

**About Affected Software**

The Official App for Consumer by Mahavitaran ( M.S.E.D.C.L.). Mahavitaran Consumer App enables consumers to avail Mahavitaran services at his/her fingertips. The app is simple and easy to use. It provides transparency in delivering services to consumers.

►Features :

\*View and Pay bill  
\*Register and Track complaints  
\*View Bill and Payment history  
\*Manage Multiple Electricity Connections  
\*Contact 24 x7 MSEDCL Call Center  
\*Apply for New Connection  
\* Know the status of New Connection Application and Pay Estimate Charges  
\*Submit Meter Reading to avoid average billing  
\*Provide Feedback about Mahavitaran Services  
\*Update Contact Details ( Mobile Number & E-mail ID ) of consumer  
\*Find MSEDCL offices and collection centers near you  
\*Estimate your monthly electricity consumption and bill amount  
\*Get Information about the Feeder from where the power supply is provided to your connection  
\*Apply for the change of name  
\*Submit an application for addition/reduction in load

**Exploit**

Use any proxy software such as burp  
login via app  
intercept traffic  
Observe that app sends username password as url parameter

**Proof Of Concept**

CVE-2020-27414: Insecure Communication of Sensitive Data – CVEWalkthrough

Wokka Lokka Q50 devices through 2021-11-30 allow remote attackers (who know the SIM phone number and password) to listen to a device's surroundings via a callback in an SMS command, as demonstrated by the 123456 and 523681 default passwords.

**November 30, 2021**

**Parents always strive to take care of their children. Technology innovations help them reach this goal, through various wearables like smartwatches and GPS trackers. More and more models of these devices are getting close to smartphones in functionality. For example, many of them can track the child’s location and travel route. These devices can also make and answer phone and video calls, receive SMS and voicemail, take pictures, and listen to the surroundings. It is even possible to enable the remote control of the device. Doctor Web has analyzed the potential threats that such gadgets can pose to parents and their children.**

During their daily operation, these devices collect and transmit data to the manufacturer’s servers and make it available to parents through their personal accounts. The information obtained with smartwatches is very sensitive. If malicious actors get their hands over such information, it can put children in great danger.

To understand the vulnerability and dangers of children’s smartwatches, Doctor Web's specialists analyzed several popular models: Elari Kidphone 4G, Wokka Lokka Q50, Elari FixiTime Lite, and Smart Baby Watch Q19. We chose models based on public popularity ratings for the Russian market, and purposefully selected models from different price ranges. We purchased all smartwatches anonymously from a large Russian online store.

We carried out both static and dynamic analyses during the inspection: we searched for potential implants in the software and possible undocumented features, as well as checked network activity, transmitted data, and how it was secured.

****Elari Kidphone 4G Smartwatch****

Several versions of the Elari Kidphone 4G watches exist. They are based on different hardware platforms but they all run an Android OS and their firmware differs slightly.

The analysis has demonstrated that the remote server the watch transmits data to is located outside of Russia which may pose a potential threat. The main threat of this model, however, comes from installed software. Its firmware has a built-in app for over-the-air updating, and this app has a trojan functionality.

Firstly, the application sends the child’s geolocation data to its own remote server. Secondly, we found a malicious code inside it, which is detected by Dr.Web as **Android.DownLoader.3894**. Every time the watch turns on or network connection changes, this code launches two malicious modules, **Android.DownLoader.812.origin** and **Android.DownLoader.1049.origin**. They connect to the C&C server to transmit various information and to receive commands. By default, the modules connect to the server every 8 hours. Because of this, a high time delay exists between the first connection and the first time the watch turned on.

The **Android.DownLoader.812.origin** module sends the user’s mobile phone number and SIM card information, geolocation data, and information about the device itself to the C&C server. In response, it can receive commands to change the frequency of requests to the server, update the module, download, install, run and uninstall apps, and load web pages.

The **Android.DownLoader.1049.origin** module sends SIM card and mobile phone number information, geolocation data, a large number of data about the device and installed apps, as well as the info about the number of SMS, phone calls, and contacts in the phone book to the C&C server.

Thus, **Android.DownLoader.3894** hidden in this watch can be used for cyber espionage, displaying ads, and installing unwanted or even malicious apps.

****Wokka Lokka Q50 Smartwatch****

The analysis of network activity on this model did not reveal any suspicious actions. The child’s geolocation data that is collected during watch operation is sent to a remote server located in Russia. At the same time, we did not observe any sensitive information transmitted to third-party servers.

The geolocation data is transmitted to the server without encryption which can pose a potential threat to Wokka Lokka Q50 users. Theoretically, the attackers could hijack unprotected data though a man-in-the-middle attack. However, because the data is transmitted through the mobile operator network, chances of such an attack to occur are not high.

Officially, this watch is controlled through the mobile app installed on the parents’ devices. But Wokka Lokka Q50 can also be controlled through special SMS commands. The watch manual does not list information on alternative control mechanisms, however. Still, it is the way the SMS control mechanism itself is implemented that poses certain risks.

The main vulnerability of Wokka Lokka Q50 is its passwords. In all watches of this model line, the standard 123456 password (523681 password in some versions of the watch) is used to send SMS commands. However, the watch has no functionality to force-change the default password when the device is turned on for the first time. The manual does not have a recommendation to change it; it also cannot be changed through the controlling app.

The only place that mentions the possibility of changing the default password is an online FAQ on the brand’s official site. But users rarely visit these official sites to search for additional info on the devices they bought. Therefore, a significant number of buyers of these watches will not know that the gadget can be controlled through SMS, and they will use the devices with the default password, not realizing that it can and should be changed. This poses a serious threat.

If a malicious third-party knows the watch’s password and SIM phone number, they can easily gain control over the device. For example, they can request GPS location that will be sent in the reply SMS, remotely listen to the surroundings through a callback to a phone number specified in the command, and even change the C&C server address to their own and gain access to all the information the watch collects.

Even if the default password is changed, it will not solve the problem completely. It is true that a password change will make many commands unavailable for the attacker. But they can still execute the command to verify the watch’s status and parameters without any limits, from any phone number. If the attacker uses this command, the watch will send them the current administrator’s phone number, among other data about the device. Knowing this number, the attacker can act on behalf of the administrator (i.e., the parents) and set a new password for the watch and gain complete control over it.

****Elari FixiTime Lite Smartwatch****

During the analysis of the Elari FixiTime Lite smart watch network activity, we did not trace any suspicious activity. However, these watches send data to a C&C server located outside of Russia. Moreover, the information on GPS coordinates is transmitted to the server through the MQTT protocol without encryption, similar to the Wokka Lokka Q50 watch. Also, voicemails and photos are sent through unprotected HTTP protocol. In the case of a successful man-in-the-middle attack, the malicious actors can intercept this data.

The password used to connect to the MQTT protocol to transmit the data is hardcoded in the firmware of the watch, which is another potential danger of this model. If the attacker knows the watch’s IMEI and this password, they can connect to the server and disguise themselves as the attacked device and transmit fake data.

****Smart Baby Watch Q19 Smartwatch****

The analysis of this watch did not reveal suspicious activity or any commands that could possibly lead to the confidential information leak. The watch encrypts the data it sends to the C&C server, and it will be difficult for potential attackers to gain access to this information. However, the C&C server is located outside Russia which poses a potential threat. In addition, this watch also uses the default 123456 password to send control commands. At the same time, the list of available commands is significantly reduced in this model.

****Conclusions****

The performed analysis showed that the security level of children’s smartwatches is quite unsatisfactory. Our research covered several models, but the problem with these devices is that different models can have similar software. For example, a variety of smartwatch models and GPS trackers use firmware similar to the one installed on the Wokka Lokka Q50. They also have standard passwords to control them through SMS. Therefore, their users are facing the same risks as the owners of Wokka Lokka Q50 watches. With that, new models constantly appear on the market, and there is no guarantee that they will have no any vulnerabilities either.

In addition, the discovery of the trojan preinstalled on the Elari Kidphone 4G smart watch clearly demonstrates the danger hidden in Android OS-based devices of this type. Third-party firms often create their firmware, and manufacturers rarely check firmware’s security and integrity. Therefore, it is possible that during the manufacturing stage, malicious actors will plug Android smart watches with trojans or adware.

The summary table below shows the main vulnerabilities of the examined smart watches:

![#drweb](https://st.drweb.com/static/new-www/news/2021/october/child_smart_watch_en.1.png)

Doctor Web has notified the manufacturers of uncovered vulnerabilities.

Smart watches are a convenient and relatively inexpensive way to protect and monitor a child. But they still pose certain risks. They can silently send confidential information to third-party services, execute malicious functionalities, and put children in danger if cybercriminals hack and control these devices.

Parents should be careful when using such devices to monitor their children and must carefully examine possible security risks before making their purchase. Otherwise, the model they choose can do their child more harm than good.

*   More details on Android.DownLoader.3894
*   More details on Android.DownLoader.812.origin
*   More details on Android.DownLoader.1049.origin

Tag

#android