A denial of service vulnerability exists in the confctl_set_wan_cfg functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vulnerability.
{"id": "CVE-2022-27178", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2022-27178", "description": "A denial of service vulnerability exists in the confctl_set_wan_cfg functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vulnerability.", "published": "2022-08-05T22:15:00", "modified": "2022-08-09T19:10:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27178", "reporter": "talos-cna@cisco.com", "references": ["https://talosintelligence.com/vulnerability_reports/TALOS-2022-1506"], "cvelist": ["CVE-2022-27178"], "immutableFields": [], "lastseen": "2022-08-09T20:32:28", "viewCount": 19, "enchantments": {"twitter": {"counter": 5, "tweets": [{"link": "https://twitter.com/CVEnew/status/1555701566195236874", "text": "CVE-2022-27178 A denial of service vulnerability exists in the confctl_set_wan_cfg functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger ... https://t.co/qvt0ycuVKF", "author": "CVEnew", "author_photo": "https://pbs.twimg.com/profile_images/1447927972393111557/PQRMlVvZ_400x400.jpg"}, {"link": "https://twitter.com/hernanespinoza/status/1555813700015120386", "text": "CVEnew: CVE-2022-27178 A denial of service vulnerability exists in the confctl_set_wan_cfg functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger\u2026 https://t.co/ygTceA1mQd", "author": "hernanespinoza", "author_photo": "https://pbs.twimg.com/profile_images/1547685026636017665/VkgyrG2V_400x400.jpg"}, {"link": "https://twitter.com/SecRiskRptSME/status/1555819412317523968", "text": "RT:\n\nCVE-2022-27178 A denial of service vulnerability exists in the confctl_set_wan_cfg functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger ..\u2026", "author": "SecRiskRptSME", "author_photo": "https://pbs.twimg.com/profile_images/1547358957429133313/ZRwWMNxZ_400x400.jpg"}, {"link": "https://twitter.com/eyeTSystems/status/1555818256736419842", "text": "CVE-2022-27178 A denial of service vulnerability exists in the confctl_set_wan_cfg functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger ... https://t.co/bXRLFKlO7o", "author": "eyeTSystems", "author_photo": "https://pbs.twimg.com/profile_images/733144294278582272/6tkqfYMy_400x400.jpg"}]}, "score": {"value": 2.9, "vector": "NONE"}, "dependencies": {"references": [{"type": "talos", "idList": ["TALOS-2022-1506"]}]}, "vulnersScore": 2.9}, "_state": {"twitter": 0, "score": 1660077439, "dependencies": 1660077172}, "_internal": {"score_hash": "8805395bb5831897fd476ece4114a4d2"}, "cna_cvss": {"cna": "Talos", "cvss": {"3": {"vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "score": 9.6}}}, "cpe": ["cpe:/o:tcl:linkhub_mesh_wifi_ac1200:ms1g_00_01.00_14"], "cpe23": ["cpe:2.3:o:tcl:linkhub_mesh_wifi_ac1200:ms1g_00_01.00_14:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-noinfo"], "affectedSoftware": [{"cpeName": "tcl:linkhub_mesh_wifi_ac1200", "version": "ms1g_00_01.00_14", "operator": "eq", "name": "tcl linkhub mesh wifi ac1200"}], "affectedConfiguration": [{"name": "tcl linkhub mesh wifi ac1200", "cpeName": "tcl:linkhub_mesh_wifi_ac1200", "version": "-", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:tcl:linkhub_mesh_wifi_ac1200:ms1g_00_01.00_14:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:tcl:linkhub_mesh_wifi_ac1200:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1506", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1506", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}
{"talos": [{"lastseen": "2022-08-09T22:07:06", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1506\n\n## TCL LinkHub Mesh Wi-Fi confctl_set_wan_cfg denial of service vulnerability\n\n##### August 1, 2022\n\n##### CVE Number\n\nCVE-2022-27178\n\n##### SUMMARY\n\nA denial of service vulnerability exists in the confctl_set_wan_cfg functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nTCL LinkHub Mesh Wifi MS1G_00_01.00_14\n\n##### PRODUCT URLS\n\nLinkHub Mesh Wifi - <https://www.tcl.com/us/en/products/connected-home/linkhub/linkhub-mesh-wifi-system-3-pack>\n\n##### CVSSv3 SCORE\n\n9.6 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n\n##### CWE\n\nCWE-284 - Improper Access Control\n\n##### DETAILS\n\nThe LinkHub Mesh Wi-Fi system is a node-based mesh system designed for Wi-Fi deployments across large homes. These nodes include most features standard in current Wi-Fi solutions and allow for easy expansion of the system by adding nodes. The mesh is managed solely by a phone application, and the routers have no web-based management console.\n\nThe LinkHub Mesh system uses protobuffers to communicate both internally on the device, as well as externally with the controlling phone application. These protobuffers can be sent to port 9003 while on the Wi-Fi, or wired network, provided by the LinkHub Mesh in order to issue commands, much like the phone application would. Once the protobuffer is received, it is routed internally starting from the `ucloud` binary and is dispatched to the appropriate handler.\n\nIn this case, the handler is `confsrv`, which handles many message types. In this case we are interested in `WanCfg`\n \n \n message AdslCfg {\n required string uname = 1;\n required string passwd = 2;\n optional int32 mode = 3;\n optional WanDnsCfg dns = 4; \n optional int32 mtu = 5;\n optional string service_name = 6;\n optional string server_name = 7;\n }\n message StaticCfg {\n required string ipaddr = 1;\n required string mask = 2;\n required string gateway = 3;\n optional WanDnsCfg dns = 6; \n }\n message DynamicCfg {\n optional WanDnsCfg dns = 1; \n }\n message WanPortCfg {\n required int32 idx = 1; \n required int32 mode = 2; [2]\n optional AdslCfg adsl = 3; \n optional StaticCfg static_info = 4; \n optional DynamicCfg dhcp = 5; \n optional RussiaAdslCfg rsadsl = 6; \n optional RussiaPPTPCfg rsapptp = 7; \n optional RussiaL2tpCfg rsal2tp = 8; \n optional IpnetCfg cfg = 9; \n }\n message WanCfg {\n repeated WanPortCfg wan = 1; [1]\n optional uint64 timestamp = 2;\n optional int32 double_wan = 3;\n }\n message WanDnsCfg {\n required bool automic = 1;\n optional string dns1 = 2;\n optional string dns2 = 3;\n }\n message IpnetCfg {\n optional bool automic = 1;\n optional string ipaddr = 2;\n optional string mask = 3;\n optional string gateway = 4;\n optional string dns1 = 5;\n optional string dns2 = 6;\n } \n \n\nUsing [1] we have control over `wan` in the packet. The parsing of the data in the protobuf is done in `confctl_set_wan_cfg`. We also have control over the `WanPortCfg`. For this example, most important is `mode` at [2].\n \n \n 00448b74 int32_t confctl_set_wan_cfg(int32_t arg1, uint8_t* data, int32_t len)\n \n 00448b94 arg_0 = arg1\n 00448ba0 int32_t $a3\n 00448ba0 arg_c = $a3\n 00448ba8 int32_t $v0_1\n 00448ba8 if (data == 0) {\n 00448bd0 printf(\"[%s][%d][luminais] invalid param\u2026\", \"confctl_set_wan_cfg\", 0xe61)\n 00448bdc $v0_1 = 0xffffffff\n 00448bdc } else {\n ...\n 00448c90 struct WanCfg* $v0_3 = wan_cfg__unpack(0, len, data)\n 00448ca4 if ($v0_3 == 0) {\n 00448ccc printf(\"[%s][%d][luminais] wan_cfg__unpa\u2026\", \"confctl_set_wan_cfg\", 0xe71)\n 00448cd8 $v0_1 = 0xffffffff\n 00448cd8 } else {\n 00448cfc if (confctl_module_debug_en(module_id: 0xb) != 0) {\n 00448d10 print_wan_cfg($v0_3)\n 00448d10 }\n 00448d40 if (GetValue(name: \"sys.workmode\", output_buffer: &var_cc) == 0) {\n 00448d68 memcpy(&var_cc, \"router\", 7)\n 00448d5c }\n 00448d78 uint32_t $v0_8 = $v0_3->wan_ctr\n 00448dcc int32_t var_f4_1\n 00448dcc for (var_f4_1 = 0; var_f4_1 u< $v0_8; var_f4_1 = var_f4_1 + 1) {\n 00448dac if (*(*($v0_3->wan + (var_f4_1 << 2)) + 0x10) == 0x10) { [3]\n 00448dac break\n 00448dac }\n 00448dac }\n 00448de8 if (var_f4_1 == $v0_8) {\n ...\n 00449870 } else if (strcmp(&var_cc, \"router\") == 0) {\n 00448e34 SetValue(name: \"sys.workmode\", input_buffer: \"ap\") [4]\n 00448e4c sub_448a38()\n 00448e4c } \n \n\nThe most basic example of this functionality is being able to swap the working mode of the device from `router` to `ap`. This swap will completely disable the network connectivity if the device is in `router` mode. At [3] the function parses the `mode` provided in the protobuffer. If the value is 0x10, then the swap to `ap` mode will occur. There is significantly more functionality you can do with this same protobuffer packet, modifying all of the WAN network configurations seen in the `WanPortCfg` protobuffer definition.\n\n##### TIMELINE\n\n2022-03-29 - Vendor Disclosure \n2022-08-01 - Public Release\n\n##### Credit\n\nDiscovered by Carl Hurd of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1505\n\nPrevious Report\n\nTALOS-2022-1507\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-01T00:00:00", "type": "talos", "title": "TCL LinkHub Mesh Wi-Fi confctl_set_wan_cfg denial of service vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-27178"], "modified": "2022-08-01T00:00:00", "id": "TALOS-2022-1506", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1506", "cvss": {"score": 0.0, "vector": "NONE"}}]}
CVE-2022-27178
