Google security engineer discloses zero-day flaw in TP-Link smart home routers

The zero-day vulnerability was disclosed publicly after TP-Link failed to respond.

Google Project Zero accuses Linux of sloppy kernel patching Project Zero accuses Linux distributions of leaving users exposed to known kernel vulnerabilities for weeks.

A zero-day vulnerability impacting TP-Link SR20 smart home routers has been exposed publicly after the company allegedly failed to respond to a researcher's private disclosure.

Matthew Garrett, a Google security engineer, revealed the bug after the company failed to fix the issue within 90 days, a timeframe now established within cybersecurity which is considered to be a reasonable amount of time offered to vendors to fix reported security issues.

The security flaw is a zero-day arbitrary code execution (ACE) bug in TP-Link SR20 routers, which are dual band 2.4 GHz / 5 GHz products touted as routers suitable for controlling smart home and Internet of Things (IoT) devices while lessening the risk of bottlenecks. 

The SR20 also supports devices which make use of the ZigBee and Z-Wave protocols.

As documented in this Twitter conversation feed, Garrett disclosed his findings to TP-Link over 90 days ago via the firm's online security disclosure form.

Despite TP-Link promising researchers they would hear back within three business days, weeks later, there was no response. Attempts to contact TP-Link through other channels also failed.  

CNET: DEA phone record collection program needs further review, DOJ says

According to Garrett, the problem lies in a process that TP-Link routers frequently run called "tddp," the TP-Link Device Debug Protocol. This process runs at a root level and can initiate two forms of commands; one type which does not require authentication -- type one -- and one which does, categorized as type two.

The SR20 router vulnerability exposes some type one commands, one of which -- command 0x1f, request 0x01 -- appears to be for configuration validation.

"You send it a filename, a semicolon and then an argument," the security engineer says. "The router then connects back to the requesting machine over TFTP, requests the filename via TFTP, imports it into a LUA interpreter and passes the argument to the config_test() function in the file it just imported. The interpreter is running as root."

TechRepublic: Unpatched vulnerability in MikroTik RouterOS enables easily exploitable denial of service attack

The os.execute() method will then permit an attacker to run as root as execute whatever they wish on a local network, which could result in the full hijack of a vulnerable device.

"Stop shipping debug daemons on production firmware and if you're going to have a web form to submit security issues then have someone actually respond to it,' Garrett added, in relation to TP-Link.

See also: Hijacked ASUS Live Update software installs backdoors on countless PCs worldwide

Further technical details concerning the vulnerability have been published in a blog post written by the security engineer. Proof-of-concept (PoC) code has also been released.

TP-Link's situation is not the only router-related security issue to appear this week. Cisco has also ended up in the hot seat after failing to properly patch Cisco RV320 and RV325 WAN VPN routers against remote attacks. 

ZDNet has reached out to TP-Link and will update if we hear back. 

Previous and related coverage