CVE-2022-41541 An attacker can replay an encrypted authentication message and valid authentication token with the AX10v1 V1_211117 device.

In TP-Link devices, a replay attack is possible when the system does not have a sufficiently long nonce (number used once) in the hash of an authentication token. If a replay attack is successfully executed, an attacker can change the configuration of the device with the attacker's configuration, access the device with the admin user ID, modify the application, and record the hash value of the newly generated authentication token to inject the newly generated authentication token into the next request and replay the request to view the previously modified configuration. This vulnerability can be exploited by attackers by sending a specially crafted request to the target device. An attacker can use social engineering techniques, for example, email spoofing, to trick a user into opening a specially crafted email. In TP-Link devices, a replay attack is possible when the system does not have a sufficiently long nonce (number used once) in the hash of an authentication token. If a replay attack is successfully executed, an attacker can change the configuration of the device with the attacker's configuration, access the device with the admin user ID, modify the application, and record the hash value of the newly generated authentication token to inject the newly generated authentication token into the next request and replay the request to view the previously modified configuration

Software version of affected devices

The following software versions are affected by this vulnerability:
Device Software Version
TL-WR841N v8.0.0 Build 121
TL-WR841HP v9.0.0 Build 17061
TL-WR842N v8.0.0 Build 121
TL-WDR3600 v9.6.2 Build 16896

Security Weakness in TP-Link Smart HUB and AC2400

A replay attack vulnerability exists in TP-Link Smart HUB and AC2400 devices. This vulnerability is due to the system not having a sufficiently long nonce (number used once) in the hash of an authentication token. If a replay attack is successfully executed, an attacker can change the configuration of the device with the attacker's configuration, access the device with the admin user ID, modify the application, and record the hash value of the newly generated authentication token to inject the newly generated authentication token into the next request and replay the request to view the previously modified configuration. This vulnerability can be exploited by attackers by sending a specially crafted request to target devices. An attacker can use social engineering techniques, for example, email spoofing, to trick a user into opening a specially crafted email.

Vulnerable devices

TP-Link Archer C50, C31, C25, and HAP AC3200
TP-Link TL-WDR3600
TP-Link TL-WR841N
TP-Link TL-WR842N

Vulnerable Code

The following code is vulnerable.

if(nonce==0) {
return; }
Nonce = nonce + 1; // Hack away!
if(nonce > MAX_AUTH_TOKEN_LENGTH-1) { // Hack away!
return;
} else { // Hack away!

Timeline

Published on: 10/18/2022 15:15:00 UTC
Last modified on: 10/20/2022 15:47:00 UTC

References

• https://www.tp-link.com/us/support/download/archer-ax10/v1/#Firmware
• https://github.com/efchatz/easy-exploits/tree/main/Web/TP-Link/Replay
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41541