14 DAY TRIAL // TP-Link TL-R600VPN routers with HWv3 FRNv1.3.0 and HWv2 FRNv1.2.3 were found to contain multiple remotely exploitable remote code execution (RCE), denial-of-service (DoS), and information disclosure security issues as disclosed by Cisco Talos' Jared Rittle.
Luckily, the remote code execution vulnerabilities discovered in the TP-Link TL-R600VPN 'SafeStream Gigabit Broadband VPN Router' require the remote attackers to be authenticated which decreases the seriousness of these security issues.
However, according to the Cisco Talos researcher, the exploit code "could be executed with root privileges" because the arbitrary code execution is performed under the security privileges of the HTTPD process which is always running as root.
On the other hand, the DoS and information disclosure security issues affecting unpatched TL-R600VPN routers could potentially be exploited by unauthenticated attackers which, as expected, escalates their gravity even though they wouldn't be considered to more critical than an RCE bug.
All vulnerabilities disclosed by Rittle in his advisories reside in content parsing errors leading to the TALOS-2018-0619/20 RCE vulns and a dangerous lack of input sanitization which triggers the TALOS-2018-0617/18 DoS and information disclosure conditions.
Linksys E Series routers also found vulnerable to RCE exploits
All four security issues affecting TP-Link's TL-R600VPN router were disclosed on June 28 and were fixed on November 19, following an intermediary beta patch sent by TP-Link to Cisco Talos on October 10.
This is not the first time Rittle disclosed router vulnerabilities given that he found three security issues in the Linksys E Series line of routers in October that would allow attackers to execute arbitrary system commands by exploiting operating system command injections.
"An attacker can exploit these bugs by sending an authenticated HTTP request to the network configuration. An attacker could then gain the ability to arbitrarily execute code on the machine," said Rittle.
Moreover, the researcher also designed and tested a number of proofs-of-concept against two Linksys router models, the Linksys E1200 and the Linksys E2500, but as he disclosed in his advisory, there multiple other routers in the Linksys E series line were also vulnerable.