A couple of vulnerabilities were discovered on a couple of TP-Link products. The vulnerabilities identified as CVE-2022-4498 and CVE-2022-4499 are rated Critical & High and assigned CVSS scores of 9.8 & 7.5 on the scale. It is worth knowing about the vulnerabilities as these flaws allow threat actors to perform arbitrary code execution, Denial of Services, device crash, and username and password guess on the vulnerable devices. We created this post to create awareness about these unpatched vulnerabilities in TP-Link Routers. Let’s get started.
Summary of The Two Unpatched Vulnerabilities in TP-Link Routers
A 150Mbps Wireless N mini pocket router, WR710N-V1-151022, and a dual-band gigabit wireless router, Archer-C5-V2-160201, with their latest firmware available as of January 11, 2023, are prone to two unpatched vulnerabilities. Let’s see one after another in the below sections.
Summary of CVE-2022-4498
The flaw is due to improper handling of user input during HTTP Basic Authentication mode. A specially crafted HTTP request can cause a heap overflow in the httpd daemon. This would lead to the crash of httpd daemon would further stage to denial of service or remote code execution.
In other words, we could say that this vulnerability could let remote attackers execute arbitrary code without authentication in the affected TP-Link routers.
| Associated CVE ID | CVE-2022-4498 |
| Description | A critical buffer overflow vulnerability |
| Associated ZDI ID | |
| CVSS Score | 9.8 Critical |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Impact Score | 5.9 |
| Exploitability Score | 3.9 |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | None |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
Summary of CVE-2022-4499
The flaw lice in the strcmp() function in httpd. This vulnerability allows a threat actor to guess each byte of a username and password input during authentication by measuring the response time of the vulnerable process.
| Associated CVE ID | CVE-2022-4499 |
| Description | A side-channel vulnerability allows to guess the credentials |
| Associated ZDI ID | |
| CVSS Score | 7.5 High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Impact Score | 3.6 |
| Exploitability Score | 3.9 |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | None |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | None |
| availability (a) | None |
Fix or Workaround
At the time of publishing this post, there are no official fixes or workaround released either by the Vendor or any third-party security firms. Please reach out to TP-Link or keep checking the CERT/CC advisory for any updates.