Description
An information disclosure vulnerability exists in the confctl_get_guest_wlan functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send packets to trigger this vulnerability.
Affected Software
Related
{"id": "CVE-2022-27633", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2022-27633", "description": "An information disclosure vulnerability exists in the confctl_get_guest_wlan functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send packets to trigger this vulnerability.", "published": "2022-08-05T22:15:00", "modified": "2022-08-09T19:09:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27633", "reporter": "talos-cna@cisco.com", "references": ["https://talosintelligence.com/vulnerability_reports/TALOS-2022-1503"], "cvelist": ["CVE-2022-27633"], "immutableFields": [], "lastseen": "2022-08-09T20:32:19", "viewCount": 47, "enchantments": {"twitter": {"counter": 4, "tweets": [{"link": "https://twitter.com/CVEnew/status/1555701572558020620", "text": "CVE-2022-27633 An information disclosure vulnerability exists in the confctl_get_guest_wlan functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send packet... https://t.co/xybP8mfGCT", "author": "CVEnew", "author_photo": "https://pbs.twimg.com/profile_images/1447927972393111557/PQRMlVvZ_400x400.jpg"}, {"link": "https://twitter.com/eyeTSystems/status/1555818263522721792", "text": "CVE-2022-27633 An information disclosure vulnerability exists in the confctl_get_guest_wlan functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send packet... https://t.co/VLiSudhC3k", "author": "eyeTSystems", "author_photo": "https://pbs.twimg.com/profile_images/733144294278582272/6tkqfYMy_400x400.jpg"}, {"link": "https://twitter.com/SecRiskRptSME/status/1555819423046451200", "text": "RT:\n\nCVE-2022-27633 An information disclosure vulnerability exists in the confctl_get_guest_wlan functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send packet..\u2026", "author": "SecRiskRptSME", "author_photo": "https://pbs.twimg.com/profile_images/1547358957429133313/ZRwWMNxZ_400x400.jpg"}]}, "score": {"value": 1.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "talos", "idList": ["TALOS-2022-1503"]}]}, "vulnersScore": 1.5}, "_state": {"twitter": 0, "score": 1660077439, "dependencies": 1660077172, "affected_software_major_version": 1671607970}, "_internal": {"score_hash": "c74eafcf795611a54ecb9d703c2d9cbe"}, "cna_cvss": {"cna": "Talos", "cvss": {"3": {"vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 6.5}}}, "cpe": ["cpe:/o:tcl:linkhub_mesh_wifi_ac1200:ms1g_00_01.00_14"], "cpe23": ["cpe:2.3:o:tcl:linkhub_mesh_wifi_ac1200:ms1g_00_01.00_14:*:*:*:*:*:*:*"], "cwe": ["CWE-200"], "affectedSoftware": [{"cpeName": "tcl:linkhub_mesh_wifi_ac1200", "version": "ms1g_00_01.00_14", "operator": "eq", "name": "tcl linkhub mesh wifi ac1200"}], "affectedConfiguration": [{"name": "tcl linkhub mesh wifi ac1200", "cpeName": "tcl:linkhub_mesh_wifi_ac1200", "version": "-", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:tcl:linkhub_mesh_wifi_ac1200:ms1g_00_01.00_14:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:tcl:linkhub_mesh_wifi_ac1200:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1503", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1503", "refsource": "MISC", "tags": ["Exploit", "Technical Description", "Third Party Advisory"]}]}
{"talos": [{"lastseen": "2022-08-09T22:07:06", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1503\n\n## TCL LinkHub Mesh Wifi confctl_get_guest_wlan information disclosure vulnerability\n\n##### August 1, 2022\n\n##### CVE Number\n\nCVE-2022-27633\n\n##### SUMMARY\n\nAn information disclosure vulnerability exists in the confctl_get_guest_wlan functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send packets to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nTCL LinkHub Mesh Wifi MS1G_00_01.00_14\n\n##### PRODUCT URLS\n\nLinkHub Mesh Wifi - <https://www.tcl.com/us/en/products/connected-home/linkhub/linkhub-mesh-wifi-system-3-pack>\n\n##### CVSSv3 SCORE\n\n6.5 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n\n##### CWE\n\nCWE-200 - Information Exposure\n\n##### DETAILS\n\nThe LinkHub Mesh Wi-Fi system is a node-based mesh system designed for Wi-Fi deployments across large homes. These nodes include most features standard in current Wi-Fi solutions and allow for easy expansion of the system by adding nodes. The mesh is managed solely by a phone application, and the routers have no web-based management console.\n\nThe LinkHub Mesh system uses protobuffers to communicate both internally on the device as well as externally with the controlling phone application. These protobuffers can be sent to port 9003 while on the Wi-Fi, or wired network, provided by the LinkHub Mesh in order to issue commands, much like the phone application would. Once the protobuffer is received, it is routed internally starting from the `ucloud` binary and is dispatched to the appropriate handler.\n\nIn this case, the handler is `confsrv`, which handles many message types. In this case we don\u2019t actually need a specific protobuffer at all to achieve the information disclosure.\n \n \n 00456a24 int32_t confctl_get_guest_wlan(int32_t arg1, int32_t arg2, int32_t arg3, int32_t* arg4, int32_t* arg5)\n \n 00456a44 arg_0 = arg1\n 00456a48 arg_4 = arg2\n 00456a4c arg_8 = arg3\n 00456a54 int32_t var_154 = 0\n 00456a60 int32_t var_14c = 0\n 00456a68 void* const var_148 = wlan_cfg_all__descriptor\n ...\n 00456ad4 void var_108\n 00456ad4 memset(&var_108, 0, 0x100)\n 00456aec int32_t $v0 = malloc(8)\n 00456b00 int32_t $v0_2\n 00456b00 if ($v0 == 0) {\n 00456b18 puts(\"djc__WlanCfg alloc memory Failed\")\n 00456b24 $v0_2 = 0xffffffff\n 00456b24 } else {\n 00456b48 memset($v0, 0, 8)\n 00456b58 int32_t var_13c_1 = 2\n 00456b68 int32_t $v0_4 = malloc(0x78)\n 00456b7c if ($v0_4 == 0) {\n 00456b94 puts(\"djc___WlanCfg array alloc memory\u2026\")\n 00456ba4 var_154 = 0xffffffff\n 00456ba4 } else {\n 00456bc4 memset($v0_4, 0, 0x78)\n 00456bd4 int32_t var_118_1 = 1\n 00456bf0 GetValue(name: \"wl.guest.dhcps_enable\", output_buffer: &var_14c)\n 00456c20 if (strcmp(&var_14c, \"1\") != 0) {\n 00456c48 guest_enable_flag = 0\n 00456c4c int32_t var_114_2 = 0\n 00456c4c } else {\n 00456c30 guest_enable_flag = 1\n 00456c38 int32_t var_114_1 = 1\n 00456c38 }\n 00456c50 int32_t var_150_1 = 0\n 00456d4c while (true) {\n 00456d4c if (var_150_1 s>= 2) {\n 00456d60 int32_t $v0_27 = malloc(0x14)\n 00456d74 if ($v0_27 == 0) {\n 00456d9c _td_snprintf(3, \"api/wifi_module.c\", 0x2cf, \"WlanTimeChoice array alloc memor\u2026\", 0x4ae4b0)\n 00456dac var_154 = 0xffffffff\n 00456dac } else {\n 00456dcc memset($v0_27, 0, 0x14)\n 00456de4 wlan_time_choice__init($v0_27)\n 00456e10 *($v0_27 + 0x10) = malloc(0xc)\n 00456e1c if (*($v0_27 + 0x10) == 0) {\n 00456e28 var_154 = 0xffffffff\n 00456e28 } else {\n 00456e40 **($v0_27 + 0x10) = 0x3840\n 00456e54 *(*($v0_27 + 0x10) + 4) = 0x7080\n 00456e68 *(*($v0_27 + 0x10) + 8) = 0xffffffff\n 00456e74 *($v0_27 + 0xc) = 3\n 00456e7c int32_t var_134_1 = $v0_27\n 00456ea4 if (GetValue(name: \"sys.cfg.stamp\", output_buffer: &var_108) != 0) {\n 00456ebc int32_t var_128_2 = 1\n 00456ed0 int32_t $v0_44\n 00456ed0 int32_t $v1_8\n 00456ed0 $v0_44, $v1_8 = atoll(&var_108)\n 00456edc int32_t var_120_1 = $v0_44\n 00456ee0 int32_t var_11c_1 = $v1_8\n 00456ee0 } else {\n 00456eac int32_t var_128_1 = 0\n 00456eac }\n 00456f08 *arg5 = wlan_cfg_all__get_packed_size(&var_148)\n 00456f34 *arg4 = malloc(*arg5)\n 00456f40 if (*arg4 != 0) {\n 00456f74 wlan_cfg_all__pack(&var_148, *arg4)\n 00456f5c } else {\n 00456f4c var_154 = 0xffffffff\n 00456f4c }\n 00456f4c }\n 00456f90 sub_454a98($v0_27)\n 00456f90 }\n 00456d74 break\n 00456d74 }\n 00456c60 int32_t $v0_8 = var_150_1 << 2\n 00456c80 wlan_cfg__init($v0_4 + ($v0_8 << 4) - $v0_8)\n 00456c90 int32_t $v0_12 = var_150_1 << 2\n 00456cc8 var_154 = wlan_get_master_cfg(var_150_1, 1, $v0_4 + ($v0_12 << 4) - $v0_12) [1]\n 00456ce0 int32_t $v0_19 = var_150_1 << 2\n 00456cf4 *($v0 + (var_150_1 << 2)) = $v0_4 + ($v0_19 << 4) - $v0_19\n 00456cfc if (var_154 != 0) {\n 00456d24 printf(\"djc______%s(%d)\\n\", \"confctl_get_guest_wlan\", 0x2c5)\n 00456d30 break\n 00456d30 }\n 00456d40 var_150_1 = var_150_1 + 1\n 00456d3c }\n 00456fb0 sub_4549e0(&var_148)\n 00456fc8 free($v0_4)\n 00456fc8 }\n 00456fe4 free($v0)\n 00456ff0 $v0_2 = var_154\n 00456ff0 }\n 00457004 return $v0_2 \n \n\nAs seen above, there is no protobuf parsing occuring from the data received, but at [1] `wlan_get_master_cfg` retrieves sensitive data to send back as a response. This response includes various information, but notable fields include the SSID and password in plaintext of the Guest WLAN.\n\n##### TIMELINE\n\n2022-03-29 - Vendor Disclosure \n2022-08-01 - Public Release\n\n##### Credit\n\nDiscovered by Carl Hurd of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1502\n\nPrevious Report\n\nTALOS-2022-1504\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-01T00:00:00", "type": "talos", "title": "TCL LinkHub Mesh Wifi confctl_get_guest_wlan information disclosure vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-27633"], "modified": "2022-08-01T00:00:00", "id": "TALOS-2022-1503", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1503", "cvss": {"score": 0.0, "vector": "NONE"}}], "cnvd": [{"lastseen": "2022-11-28T23:22:24", "description": "TCL LinkHub Mesh Wi-Fi is a router from TCL Corporation. TCL LinkHub Mesh Wi-Fi is vulnerable to an information disclosure vulnerability that originates in the confctl_get_guest_wlan function and can be exploited by attackers to cause information disclosure.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-03T00:00:00", "type": "cnvd", "title": "TCL LinkHub Mesh Wi-Fi Information Disclosure Vulnerability", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-27633"], "modified": "2022-11-28T00:00:00", "id": "CNVD-2022-82015", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-82015", "cvss": {"score": 0.0, "vector": "NONE"}}]}