7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
8.4 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
20.1%
CVE-2023-36498
A post-authentication command injection vulnerability exists in the PPTP client functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability and gain access to an unrestricted shell.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591
ER7206 Omada Gigabit VPN Router - <https://www.tp-link.com/us/business-networking/vpn-router/er7206/>
7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (βOS Command Injectionβ)
The ER7206 Omada Gigabit VPN Router is a high-performance networking solution that supports gigabit connectivity, highly secure VPN and integration with Omada SDN for centralized cloud management and zero-touch provisioning.
The ER7206 Omada Gigabit VPN Router runs various services to manage the router or devices connected to the router. One such service is uhttpd
which runs on port 80/443. It gives users a web interface to configure and manage the router. By default, the service runs as a root user. An attacker can gain root access to the device by exploiting this service.
A command injection vulnerability exists in the uhttpd
service when a PPTP client is added to the device. In the web interface, the PPTP client page can be accessed by navigating to VPN
-> PPTP
-> PPTP Client
. It contains features to add, edit, and delete PPTP clients. When a PPTP client is added, it triggers the following HTTP Post request:
POST /cgi-bin/luci/;stok=5c2dfbd923f6847208caede091ebec4d/admin/pptp_client?form=client_list HTTP/1.1
Host: 192.168.8.100
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.8.100/webpages/index.html
Cookie: sysauth=48d19aec91739c5698db9b0d3e514723
Content-Length: 528
data=%7b%22method%22%3a%22add%22%2c%22params%22%3a%7b%22index%22%3a1%2c%22old%22%3a%22add%22%2c%22new%22%3a%7b%22tunnelname%22%3a%22n`id>/tmp/a`%22%2c%22username%22%3a%22AAAA%22%2c%22password%22%3a%22AAAAA%22%2c%22outif%22%3a%22WAN1%22%2c%22pns%22%3a%22192.168.18.119%22%2c%22mppeencryption%22%3a%220%22%2c%22remotesubnet%22%3a%22192.168.18.2%2f32%22%2c%22uplink%22%3a%221000000%22%2c%22downlink%22%3a%221000000%22%2c%22workmode%22%3a%22nat%22%2c%22enable%22%3a%22on%22%2c%22balance%22%3a%220%22%7d%2c%22key%22%3a%22add%22%7d%7d
The tunnel name of the PPTP client is vulnerable to the command injection vulnerbaility. It is used as an argument to a shell command without any sanitization. An attacker, by including shell metacharacters in the tunnelname
parameter, can manipulate the executed command and introduce unauthorized commands, which leads to the command injection vulnerability. Even though administrative access is required to trigger this vulnerability, it can be used to acquire an unrestricted shell access to the device.
The vendor released a new firmware available at: https://www.tp-link.com/us/support/download/er7206/v1/#Firmware
2023-12-04 - Initial Vendor Contact
2023-12-05 - Vendor Disclosure
2024-02-01 - Vendor Patch Release
2024-02-06 - Public Release
Discovered by the Vulnerability Discovery and Research team of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2023-1856
Previous Report
TALOS-2023-1855
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
8.4 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
20.1%