In TP-Link devices, a replay attack is possible when the system does not have a sufficiently long nonce (number used once) in the hash of an authentication token. If a replay attack is successfully executed, an attacker can change the configuration of the device with the attacker's configuration, access the device with the admin user ID, modify the application, and record the hash value of the newly generated authentication token to inject the newly generated authentication token into the next request and replay the request to view the previously modified configuration. This vulnerability can be exploited by attackers by sending a specially crafted request to the target device. An attacker can use social engineering techniques, for example, email spoofing, to trick a user into opening a specially crafted email. In TP-Link devices, a replay attack is possible when the system does not have a sufficiently long nonce (number used once) in the hash of an authentication token. If a replay attack is successfully executed, an attacker can change the configuration of the device with the attacker's configuration, access the device with the admin user ID, modify the application, and record the hash value of the newly generated authentication token to inject the newly generated authentication token into the next request and replay the request to view the previously modified configuration
Software version of affected devices
The following software versions are affected by this vulnerability:
Device Software Version
TL-WR841N v8.0.0 Build 121
TL-WR841HP v9.0.0 Build 17061
TL-WR842N v8.0.0 Build 121
TL-WDR3600 v9.6.2 Build 16896
Security Weakness in TP-Link Smart HUB and AC2400
A replay attack vulnerability exists in TP-Link Smart HUB and AC2400 devices. This vulnerability is due to the system not having a sufficiently long nonce (number used once) in the hash of an authentication token. If a replay attack is successfully executed, an attacker can change the configuration of the device with the attacker's configuration, access the device with the admin user ID, modify the application, and record the hash value of the newly generated authentication token to inject the newly generated authentication token into the next request and replay the request to view the previously modified configuration. This vulnerability can be exploited by attackers by sending a specially crafted request to target devices. An attacker can use social engineering techniques, for example, email spoofing, to trick a user into opening a specially crafted email.
Vulnerable devices
TP-Link Archer C50, C31, C25, and HAP AC3200
TP-Link TL-WDR3600
TP-Link TL-WR841N
TP-Link TL-WR842N
Vulnerable Code
The following code is vulnerable.
if(nonce==0) {
return; }
Nonce = nonce + 1; // Hack away!
if(nonce > MAX_AUTH_TOKEN_LENGTH-1) { // Hack away!
return;
} else { // Hack away!
Timeline
Published on: 10/18/2022 15:15:00 UTC
Last modified on: 10/20/2022 15:47:00 UTC