[Japanese]

JVNDB-2024-001002

Multiple TP-Link products vulnerable to OS command injection

Overview

Multiple products provided by TP-LINK contain multiple vulnerabilities listed below.

* OS command injection (CWE-78) - CVE-2024-21773
* OS command injection (CWE-78) - CVE-2024-21821
* OS command injection (CWE-78) - CVE-2024-21833

Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.5 (High) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-21773


CVSS V3 Severity:
Base Metrics:7.1 (High) [Other]
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-21821


CVSS V3 Severity:
Base Metrics:7.5 (High) [Other]
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-21833
Affected Products


TP-LINK Technologies
  • Archer Air R5 firmware versions prior to "Archer Air R5(JP)_V1_1.1.6 Build 20240508" (CVE-2024-21773, CVE-2024-21821)
  • Archer AX3000 firmware versions prior to "Archer AX3000(JP)_V1_1.1.2 Build 20231115" (CVE-2024-21773, CVE-2024-21821, CVE-2024-21833)
  • Archer AX5400 firmware versions prior to "Archer AX5400(JP)_V1_1.1.2 Build 20231115" (CVE-2024-21773, CVE-2024-21821, CVE-2024-21833)
  • Archer AXE75 firmware versions prior to "Archer AXE75(JP)_V1_231115" (CVE-2024-21821, CVE-2024-21833)
  • Deco X50 Deco X50 firmware versions prior to "Deco X50(JP)_V1_1.4.1 Build 20231122" (CVE-2024-21773, CVE-2024-21833)
  • Deco XE200 Deco XE200 firmware versions prior to "Deco XE200(JP)_V1_1.2.5 Build 20231120" (CVE-2024-21773, CVE-2024-21833)

Impact

* A unauthenticated user who can access the affected device from the LAN port or Wi-Fi may execute an arbitrary OS command on the device that has pre-specified target devices and blocked URLs in parental control settings - CVE-2024-21773
* A unauthenticated user who can access the affected device from the LAN port or Wi-Fi may execute an arbitrary OS command on the device - CVE-2024-21833
* A user who logs in to the affected device may execute an arbitrary OS command (The affected device, with the initial configuration, allows login only from the LAN port or Wi-Fi) - CVE-2024-21821
Solution

[Update the Firmware]
Update the firmware to the latest version according to the information provided by the developer.
Vendor Information

TP-LINK Technologies
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [Other]
CVE (What is CVE?)

  1. CVE-2024-21773
  2. CVE-2024-21821
  3. CVE-2024-21833
References

  1. JVN : JVNVU#91401812
  2. National Vulnerability Database (NVD) : CVE-2024-21773
  3. National Vulnerability Database (NVD) : CVE-2024-21821
  4. National Vulnerability Database (NVD) : CVE-2024-21833
Revision History

  • [2024/01/10]
      Web page was published
  • [2024/03/14]
      References : Contents were added
  • [2024/06/28]
      Affected Products : Product was added 
      Impact was modified
      Vendor Information : Content was added