Critical remote execution flaw lurks in TP-Link Wi-Fi Extenders

The zero-day bug impacts multiple models in the TP-Link product line.

Your data is at risk from unpatched vulnerabilities Flaws are left open for weeks or longer even when fixes exist, security experts admit, leaving organisations at risk.

A critical zero-day vulnerability which impacts TP-Link Wi-Fi Extenders could lead to the remote execution of code, researchers have warned.

IBM X-Force researcher Grzegorz Wypychmembers revealed the existence of the security flaw on Tuesday. In a blog post, the cybersecurity researcher said the security issue impacts TP-Link Wi-Fi Extender models RE365, RE650, RE350 and RE500 running firmware version 1.0.2, build 20180213.

TP-Link Wi-Fi Extenders are devices suitable for both the home and commercial properties and are used to eradicate black spots or areas with weak Wi-Fi coverage. An extender is able to capture Wi-Fi signals from the main router and rebroadcast the same signal, improving its strength.

See also: Critical ADB router, modem firmware vulnerabilities finally fixed

However, as with many devices connected to the Internet, there is the possibility of vulnerabilities which can be used by attackers to remotely access and compromise systems. In this case, the critical flaw can be exploited to perform remote code execution.

TP-Link's Wi-Fi extenders operate on MIPS architecture and the vulnerability can be triggered by abusing a malformed user agent field in HTTP headers when sending requests to exploit a device and run shell commands.

Wypychmembers says that the bug can be used to remotely access the extender without the need for authentication, giving attackers the chance to hijack the device and gain complete control.

The team was able to connect to a test RE365 device via TCP port 4444 to gain root level shell, and this can all be achieved without the need for an additional privilege escalation attack in the infection process as all the processes on the device run with root level access as standard.

"Running as root by default is quite risky because anyone who may compromise the device could perform any action on it," the researcher said.

TechRepublic: Why your business should consider paying a ransom to hackers

"The sort of impact one can expect from such unauthenticated access is, for example, requesting the device to browse to a botnet command and control server or an infection zone," Wypychmembers added. "The thought of a Mirai infection on IoT devices is, of course, one of the first things that come to mind, where automated scripts could potentially run as root on this type of a device if the vulnerability is exploited."

CNET: Election hacking has never been cheaper, easier or more profitable

Patches to resolve the bug can be downloaded from TP-Link's website. Separate updates have been issued for each of the four impacted products (RE365, RE500, RE650, RE350).

ZDNet has reached out to TP-Link and will update if we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0