[Japanese]

JVNDB-2021-001010

TP-Link TL-WR841N V13 (JP) vulnerable to OS command injection

Overview

​TP-Link TL-WR841N is a wifi router for home networks.
The firmware version 161028 for hardware version V13 (JP) is reported vulnerable to OS command injection (CWE-78).

According to the vendor, the firmware for hardware version V14 (JP) is not affected.

Koh You Liang of 3-shake Inc. reported this vulnerability to the developer and JPCERT/CC.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.2 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 8.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
Affected Products


TP-LINK Technologies
  • TL-WR841N firmware V13 (JP) with firmware versions prior to 201216

Impact

Any user who can login to the web interface of the product may execute any OS commands.
Solution

[Update the Firmware]
Update to the latest version of the firmware according to the information provided by the developer.

The developer has released the firmware version 201216 to fix this vulnerability.
Vendor Information

TP-LINK Technologies
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-35576
References

  1. JVN : JVNVU#92444096
  2. National Vulnerability Database (NVD) : CVE-2020-35576
  3. Related document : TP-Link TL-WR841N Command Injection Exploit (CVE-2020-35576)
Revision History

  • [2021/01/25]
      Web page was published

Date Public2021/01/22
Date First Published2021/01/25
Date Last Updated2021/01/25