Classification: //Dell SecureWorks/Confidential - Limited External
Distribution:
############################################################################
# * Title: TP-Link TL-WR840N Configuration Import Cross-Site Request Forgery
(CSRF)
# * Advisory ID: SWRX-2015-001
# * Advisory URL:
http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2015-00
1/
# * Date published: Wednesday, January 7, 2015
# * CVE: CVE-2014-9510
# * CVSS v2 base score: 9.3
# * Date of last update: Wednesday, January 7, 2015
# * Vendors contacted: TP-Link
# * Release mode: Coordinated
# * Discovered by: Sean Wright, Dell SecureWorks
############################################################################
Summary:
TP-Link is a primary provider of networking equipment and wireless products
for small and home offices as well as for small to midsized businesses.
TL-WR840N is a combination wired/wireless router specifically targeted to
small business and home office networking environments. The router's web
administration console contains a cross-site request forgery (CSRF)
vulnerability that allows threat actors to import their own configuration to
the router. An attack could alter any configuration setting on the device.
----------------------------------------------------------------------------
Affected products:
This vulnerability affects TP-Link TL-WR840N v1 (firmware 3.13.27, build
140714 and prior).
----------------------------------------------------------------------------
Vendor information, solutions, and workarounds:
TL-WR840N users should upgrade the router's firmware to 3.13.27, build
141120 or later.
----------------------------------------------------------------------------
Details:
The TP-Link TL-WR840N router provides a web administration console that
enables the device owner to
change the router's configuration. The administration console includes an
option to import an existing
configuration from a binary file, but this feature is vulnerable to CSRF
attacks. A threat actor could use
social engineering to trick a victim into visiting a malicious web page that
exploits the CSRF vulnerability
and imports a malicious configuration file via the router's web
administration console. The attacker
could change any settings on the router, including the firewall settings and
the router's remote
administration capabilities. If the device owner has not changed the default
username and password,
then the attack would not require the victim to log into the router's web
administration console.
----------------------------------------------------------------------------