Connect with us

Hi, what are you looking for?


Network Security

TP-Link Patches Remote Code Execution Flaws in SOHO Router

Vulnerabilities recently addressed by WiFi device maker TP-Link in its TL-R600VPN small and home office (SOHO) router could allow remote code execution, Cisco Talos security researchers warn.

Vulnerabilities recently addressed by WiFi device maker TP-Link in its TL-R600VPN small and home office (SOHO) router could allow remote code execution, Cisco Talos security researchers warn.

The issues were mainly caused by lack of input sanitization and parsing errors. Lack of proper input sanitization can be exploited without authentication to cause denial of service and leak server information. 

Parsing errors require an authenticated session for exploitation, but can lead to remote code execution under the context of HTTPD. While the attacker needs to be authenticated to exploit the flaw, because the HTTPD process runs as root, the code would be executed with elevated privileges.

Three of the discovered vulnerabilities impact TP-Link TL-R600VPN HWv3 FRNv1.3.0 and TL-R600VPN HWv2 FRNv1.2.3 versions, while a fourth one was found in HWv3 FRNv1.3.0 only.

Tracked as CVE-2018-3948, the denial of service vulnerability was found in the URI-parsing function of the TL-R600VPN HTTP server. 

“If a directory traversal is attempted on any of the vulnerable pages (help, images, frames, dynaform, localization) and the requested page is a directory instead of a file, the web server will enter an infinite loop, making the management portal unavailable. This request doesn’t need to be authenticated,” Cisco reports

The HTTP server can expose information due to a directory traversal vulnerability (CVE-2018-3949) that can be exploited by both authenticated and unauthenticated attackers. For unauthenticated exploitation, an attacker needs to use a standard directory traversal with base page of ‘help,’ which allows them to read any file on the system.

Advertisement. Scroll to continue reading.

The third vulnerability, CVE-2018-3950, was found in the ping and traceroute functions of the TL-R600VPN HTTP server, and can lead to remote code execution because the router does not check the size of the data passed to its ‘ping_addr’ field when performing a ping operation. 

“By sending a large amount of data to this field, an attacker could cause a stack-based buffer overflow, leading to remote code execution or a simple crash of the device’s HTTP server. An attacker would need to be in an authenticated session to trigger this vulnerability,” Cisco explains. 

A second remote code execution bug (CVE-2018-3951) was found in the HTTP header-parsing function of the TL-R600VPN HTTP server. An attacker can trigger a buffer overflow using a specially crafted HTTP request, and then exploit this for remote code execution. The attacker needs to be authenticated to exploit the vulnerability.

“During this process, the server calculates the length of the user-controlled HTTP header buffer and adds the value to the input buffer offset. This creates an overflow condition when the router processes a longer-than-expected GET request,” Cisco explains. 

TP-Link has already released patches for these vulnerabilities, and the owners of the TL-R600VPN routers are advised to update their devices as soon as possible. 

Related: Critical Vulnerabilities Allow Takeover of D-Link Routers

Related: U.S. Disrupts Russian Botnet of 500,000 Hacked Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...