An information disclosure vulnerability exists in the confctl_get_master_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send packets to trigger this vulnerability.
{"id": "CVE-2022-27630", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2022-27630", "description": "An information disclosure vulnerability exists in the confctl_get_master_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send packets to trigger this vulnerability.", "published": "2022-08-05T22:15:00", "modified": "2022-08-09T19:09:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27630", "reporter": "talos-cna@cisco.com", "references": ["https://talosintelligence.com/vulnerability_reports/TALOS-2022-1504"], "cvelist": ["CVE-2022-27630"], "immutableFields": [], "lastseen": "2022-08-09T20:32:27", "viewCount": 22, "enchantments": {"twitter": {"counter": 5, "tweets": [{"link": "https://twitter.com/CVEnew/status/1555701574701355010", "text": "CVE-2022-27630 An information disclosure vulnerability exists in the confctl_get_master_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send pack... https://t.co/3eHGw1AAeK", "author": "CVEnew", "author_photo": "https://pbs.twimg.com/profile_images/1447927972393111557/PQRMlVvZ_400x400.jpg"}, {"link": "https://twitter.com/SecRiskRptSME/status/1555819425038843904", "text": "RT:\n\nCVE-2022-27630 An information disclosure vulnerability exists in the confctl_get_master_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send pack..\u2026", "author": "SecRiskRptSME", "author_photo": "https://pbs.twimg.com/profile_images/1547358957429133313/ZRwWMNxZ_400x400.jpg"}, {"link": "https://twitter.com/eyeTSystems/status/1555818266420969472", "text": "CVE-2022-27630 An information disclosure vulnerability exists in the confctl_get_master_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send pack... https://t.co/VmiCPgmWAF", "author": "eyeTSystems", "author_photo": "https://pbs.twimg.com/profile_images/733144294278582272/6tkqfYMy_400x400.jpg"}, {"link": "https://twitter.com/hernanespinoza/status/1555813708802277376", "text": "CVEnew: CVE-2022-27630 An information disclosure vulnerability exists in the confctl_get_master_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send pac\u2026 https://t.co/wAL5ytS2GQ", "author": "hernanespinoza", "author_photo": "https://pbs.twimg.com/profile_images/1547685026636017665/VkgyrG2V_400x400.jpg"}]}, "score": {"value": 1.6, "vector": "NONE"}, "dependencies": {"references": [{"type": "talos", "idList": ["TALOS-2022-1504"]}]}, "vulnersScore": 1.6}, "_state": {"twitter": 0, "score": 1660077439, "dependencies": 1660077172}, "_internal": {"score_hash": "6cce82209680cc3c774cf7b210cf4f1d"}, "cna_cvss": {"cna": "Talos", "cvss": {"3": {"vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 6.5}}}, "cpe": ["cpe:/o:tcl:linkhub_mesh_wifi_ac1200:ms1g_00_01.00_14"], "cpe23": ["cpe:2.3:o:tcl:linkhub_mesh_wifi_ac1200:ms1g_00_01.00_14:*:*:*:*:*:*:*"], "cwe": ["CWE-200"], "affectedSoftware": [{"cpeName": "tcl:linkhub_mesh_wifi_ac1200", "version": "ms1g_00_01.00_14", "operator": "eq", "name": "tcl linkhub mesh wifi ac1200"}], "affectedConfiguration": [{"name": "tcl linkhub mesh wifi ac1200", "cpeName": "tcl:linkhub_mesh_wifi_ac1200", "version": "-", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:tcl:linkhub_mesh_wifi_ac1200:ms1g_00_01.00_14:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:tcl:linkhub_mesh_wifi_ac1200:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1504", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1504", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}
{"talos": [{"lastseen": "2022-08-09T22:07:08", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1504\n\n## TCL LinkHub Mesh Wifi confctl_get_master_wlan information disclosure vulnerability\n\n##### August 1, 2022\n\n##### CVE Number\n\nCVE-2022-27630\n\n##### SUMMARY\n\nAn information disclosure vulnerability exists in the confctl_get_master_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send packets to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nTCL LinkHub Mesh Wifi MS1G_00_01.00_14\n\n##### PRODUCT URLS\n\nLinkHub Mesh Wifi - <https://www.tcl.com/us/en/products/connected-home/linkhub/linkhub-mesh-wifi-system-3-pack>\n\n##### CVSSv3 SCORE\n\n6.5 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n\n##### CWE\n\nCWE-200 - Information Exposure\n\n##### DETAILS\n\nThe LinkHub Mesh Wi-Fi system is a node-based mesh system designed for Wi-Fi deployments across large homes. These nodes include most features standard in current Wi-Fi solutions and allow for easy expansion of the system by adding nodes. The mesh is managed solely by a phone application, and the routers have no web-based management console.\n\nThe LinkHub Mesh system uses protobuffers to communicate both internally on the device as well as externally with the controlling phone application. These protobuffers can be sent to port 9003 while on the Wi-Fi, or wired network, provided by the LinkHub Mesh in order to issue commands, much like the phone application would. Once the protobuffer is received, it is routed internally starting from the `ucloud` binary and is dispatched to the appropriate handler.\n\nIn this case, the handler is `confsrv`, which handles many message types. In this case we don\u2019t actually need a specific protobuffer at all to achieve the information disclosure.\n \n \n 004565e8 int32_t confctl_get_master_wlan(int32_t arg1, int32_t arg2, int32_t arg3, int32_t* arg4, int32_t* arg5)\n \n ...\n 00456690 void var_108\n 00456690 memset(&var_108, 0, 0x100)\n 004566a8 int32_t $v0 = malloc(8)\n 004566bc int32_t $v0_2\n 004566bc if ($v0 == 0) {\n 004566e4 _td_snprintf(3, \"api/wifi_module.c\", 0x21c, \"WlanCfg alloc memory Failed\\n\", 0x4ae4b0)\n 004566f0 $v0_2 = 0xffffffff\n 004566f0 } else {\n 00456714 memset($v0, 0, 8)\n 00456724 int32_t var_13c_1 = 2\n 00456734 int32_t $v0_4 = malloc(0x78)\n 00456748 if ($v0_4 == 0) {\n 00456770 _td_snprintf(3, \"api/wifi_module.c\", 0x226, \"WlanCfg array alloc memory Faile\u2026\", 0x4ae4b0)\n 00456780 var_154 = 0xffffffff\n 00456780 } else {\n 004567a0 memset($v0_4, 0, 0x78)\n 004567ac int32_t var_118_1 = 0\n 004567b0 int32_t var_150_1 = 0\n 004568ac while (true) {\n 004568ac if (var_150_1 s>= 2) {\n 004568d8 if (GetValue(name: \"sys.cfg.stamp\", output_buffer: &var_108) != 0) {\n 004568f0 int32_t var_128_2 = 1\n 00456904 int32_t $v0_27\n 00456904 int32_t $v1_7\n 00456904 $v0_27, $v1_7 = atoll(&var_108)\n 00456910 int32_t var_120_1 = $v0_27\n 00456914 int32_t var_11c_1 = $v1_7\n 00456914 } else {\n 004568e0 int32_t var_128_1 = 0\n 004568e0 }\n 0045693c *arg5 = wlan_cfg_all__get_packed_size(&var_148)\n 00456968 *arg4 = malloc(*arg5)\n 00456974 if (*arg4 != 0) {\n 004569a8 wlan_cfg_all__pack(&var_148, *arg4)\n 00456990 } else {\n 00456980 var_154 = 0xffffffff\n 00456980 }\n 00456974 break\n 00456974 }\n 004567c0 int32_t $v0_7 = var_150_1 << 2\n 004567e0 wlan_cfg__init($v0_4 + ($v0_7 << 4) - $v0_7)\n 004567f0 int32_t $v0_11 = var_150_1 << 2\n 00456828 var_154 = wlan_get_master_cfg(var_150_1, 0, $v0_4 + ($v0_11 << 4) - $v0_11) [1]\n 00456840 int32_t $v0_18 = var_150_1 << 2\n 00456854 *($v0 + (var_150_1 << 2)) = $v0_4 + ($v0_18 << 4) - $v0_18\n 0045685c if (var_154 != 0) {\n 00456884 printf(\"%s(%d)\\n\", \"confctl_get_master_wlan\", 0x237)\n 00456890 break\n 00456890 }\n 004568a0 var_150_1 = var_150_1 + 1\n 0045689c }\n 004569c8 sub_4549e0(&var_148)\n 004569e0 free($v0_4)\n 004569e0 }\n 004569fc free($v0)\n 00456a08 $v0_2 = var_154\n 00456a08 }\n 00456a1c return $v0_2 \n \n\nAs seen above, there is no protobuf parsing occuring from the data received, but at [1] `wlan_get_master_cfg` retrieves sensitive data to send back as a response. This response includes various information, but notable fields include the SSID and password in plaintext.\n\n##### TIMELINE\n\n2022-03-29 - Vendor Disclosure \n2022-08-01 - Public Release\n\n##### Credit\n\nDiscovered by Carl Hurd of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1503\n\nPrevious Report\n\nTALOS-2022-1505\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-01T00:00:00", "type": "talos", "title": "TCL LinkHub Mesh Wifi confctl_get_master_wlan information disclosure vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-27630"], "modified": "2022-08-01T00:00:00", "id": "TALOS-2022-1504", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1504", "cvss": {"score": 0.0, "vector": "NONE"}}]}
CVE-2022-27630
