TP-Link Archer Routers Allow Remote Takeover Without Passwords (Dec 17, 2019)
A critical zero-day vulnerability in TP-Link Archer routers has been addressed by TP-Link. The vulnerability (CVE-2017-7405) could allow attackers to have remote access and control over LAN through a Telnet connection without authentication. IBM X-Forces researchers note that the zero-day flaw can affect home and business environments. The Common Gateway Interface (CGI) validation of the router is based on the referrer’s HTTP headers. Because TP-Link Archer routers run default administrative users with root privileges, an attacker can spoof the HTTP header data and take control.
Recommendation: Any business or customer of TP-Link using the Archer brand of routers should patch this vulnerability to prevent malicious actors from being able to exploit it. The good news is that TP-Link have addressed the issue, the bad news is that the Zero-day is easy to exploit and clearly articulated. The actor only needs to sniff the network to obtain the necessary information to spoof and attempt to gain access. Organisations should review whether they have this device in their environment and apply patch management procedures promptly.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.