I got some leftover giftcards from coming in second in the Japan Chess Sunday Cup Grand Prix and used all of them to purchase routers; this is one of the CVEs I got! Unlike my previous CVE-2020-35576, this vulnerability is present on the latest hardware of the router so I will not be disclosing the exploit details for now.
CVE-2021-4144
Affected Firmware
All firmware prior to TL-WR802N V4(JP)_V4_211202
| CVSS Base Score: 7.2 | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Fixed Firmware
| Date | 2021-12-08 |
| Release notes | Command injection脆弱性の修正と、デバイスのセキュリティを強化しました。 |
Introduction
So, a quick introduction to this router. It was released in 2016 and has been a very popular and cheap ($18) portable pocket router, ranking top 24th in Amazon JP at time of report.
Although being released 5 years ago, there was only one firmware patch per hardware version and thus many security features were absent. This led me to choosing it as my next target!
Bug Discovery via QEMU Analysis
This is redacted.
The Exploit
This is also redacted.
Afterthoughts
I would like to thank my company, PwC Japan for giving me a lot of free time during work which resulted in me discovering yet another router CVE.
Timeline
TP-Link took some time to respond to this one and the disclosure was delayed by 6 months.
2021-06-24 00:21:34 JST - Reported to Vendor (security[at]tp-link.com)
2021-06-25 11:09:13 JST - Vendor acknowledgement and reply
2021-07-28 19:51:55 JST - Asked Vendor for updates
2021-11-05 07:49:23 JST - Asked Vendor for updates
2021-11-05 12:36:45 JST - Vendor replied with beta firmware dated 2021 June & said they did not receive the July email
2021-11-06 03:52:01 JST - Replied to Vendor confirming fixes
2021-11-06 04:47:00 JST - Contacted JPCERT/CC for coordinated disclosure
2021-11-08 21:09:10 JST - Acknowledgement from Vendor
2021-11-10 02:16:00 JST - Acknowledgement from JPCERT/CC
2021-12-08 16:03:00 JST - Vendor officially released firmware
2021-12-10 02:44:58 JST - JVN draft received from JPCERT/CC
2021-12-21 17:51:00 JST - CVE number assigned by JPCERT/CC
2021-12-22 07:15:59 JST - Blog post published