Skip to main content

A couple of vulnerabilities were discovered on a couple of TP-Link products. The vulnerabilities identified as CVE-2022-4498 and CVE-2022-4499 are rated Critical & High and assigned CVSS scores of 9.8 & 7.5 on the scale. It is worth knowing about the vulnerabilities as these flaws allow threat actors to perform arbitrary code execution, Denial of Services, device crash, and username and password guess on the vulnerable devices. We created this post to create awareness about these unpatched vulnerabilities in TP-Link Routers. Let’s get started.

A 150Mbps Wireless N mini pocket router, WR710N-V1-151022, and a dual-band gigabit wireless router, Archer-C5-V2-160201, with their latest firmware available as of January 11, 2023, are prone to two unpatched vulnerabilities. Let’s see one after another in the below sections.

Summary of CVE-2022-4498

The flaw is due to improper handling of user input during HTTP Basic Authentication mode. A specially crafted HTTP request can cause a heap overflow in the httpd daemon. This would lead to the crash of httpd daemon would further stage to denial of service or remote code execution.

In other words, we could say that this vulnerability could let remote attackers execute arbitrary code without authentication in the affected TP-Link routers.

Associated CVE IDCVE-2022-4498
DescriptionA critical buffer overflow vulnerability
Associated ZDI ID
CVSS Score9.8 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score5.9
Exploitability Score3.9
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Summary of CVE-2022-4499

The flaw lice in the strcmp() function in httpd. This vulnerability allows a threat actor to guess each byte of a username and password input during authentication by measuring the response time of the vulnerable process.

Associated CVE IDCVE-2022-4499
DescriptionA side-channel vulnerability allows to guess the credentials
Associated ZDI ID
CVSS Score7.5 High
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Impact Score3.6
Exploitability Score3.9
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)High
Integrity (I)None
availability (a)None

Fix or Workaround

At the time of publishing this post, there are no official fixes or workaround released either by the Vendor or any third-party security firms. Please reach out to TP-Link or keep checking the CERT/CC advisory for any updates. 

Leave a Reply