{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/572615#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nTP-Link router WR710N-V1-151022 running firmware published 2015-10-22 and Archer-C5-V2-160201 running firmware published 2016-02-01 are susceptible to two vulnerabilities:\r\n\r\n1. A buffer overflow during HTTP Basic Authentication allowing a remote attacker to corrupt memory allocated on a heap causing denial of service or arbitrary code execution;\r\n3. A side-channel attack via a *strcmp()* function in the HTTP daemon allowing deterministic guessing of each byte of a username and password input during authentication.\r\n### Description\r\nTP-Link device WR710N-V1-151022 is a 150Mbps Wireless N Mini Pocket router, and Archer-C5-V2-160201 is a Wireless Dual Band Gigabit router. These SOHO devices are sold by TP-Link and their latest firmware available as of January 11, 2023, have two vulnerabilities. \r\n\r\n**CVE-2022-4498**\r\nWhen receiving user input during HTTP Basic Authentication mode, a crafted packet may cause a heap overflow in the *httpd* daemon. This can lead to denial of service (DoS) if the *httpd* process crashes or arbitrary remote code execution (RCE).\r\n\r\n**CVE-2022-4499**\r\nA *strcmp()* function in *httpd*, is susceptible to a side-channel attack when used to verify usename and password credentials. By measuring the response time of the vulnerable process, each byte of the username and password strings may be easier to guess.\r\n\r\n### Impact\r\nThe two different vulnerabilities have unrelated impacts. The first vulnerability is a heap-based buffer overflow that can cause a crash or allow for arbitrary remote code execution. The second vulnerability is an information disclosure issue where the function used by the *httpd* process may allow an attacker to guess each byte of a username and password deterministically.\r\n\r\n### Solution\r\nThe CERT/CC is currently unaware of a practical solution to this problem. \r\n\r\n### Acknowledgements\r\nThanks to the reporter, Jonathan Bar of Microsoft, for responsibly disclosing these issues.\r\n\r\nThis document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"We have not received a statement from the vendor.","title":"CERT/CC comment on TP-LINK notes"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/572615"}],"title":"Vulnerabilities in TP-Link routers, WR710N-V1-151022 and Archer C5 V2","tracking":{"current_release_date":"2023-01-23T14:36:26+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#572615","initial_release_date":"2023-01-17 17:41:05.807853+00:00","revision_history":[{"date":"2023-01-23T14:36:26+00:00","number":"1.20230123143626.4","summary":"Released on 2023-01-23T14:36:26+00:00"}],"status":"final","version":"1.20230123143626.4"}},"vulnerabilities":[{"title":"In TP-Link routers, Archer C5 and WR710N-V1, running the latest available code, when receiving HTTP Basic Authentication the httpd service can be sent a crafted packet that causes a heap overflow.","notes":[{"category":"summary","text":"In TP-Link routers, Archer C5 and WR710N-V1, running the latest available code, when receiving HTTP Basic Authentication the httpd service can be sent a crafted packet that causes a heap overflow. This can result in either a DoS (by crashing the httpd process) or an arbitrary code execution."}],"cve":"CVE-2022-4498","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#572615"}]},{"title":"TP-Link routers, Archer C5 and WR710N-V1, using the latest software, the strcmp function used for checking credentials in httpd, is susceptible to a side-channel attack.","notes":[{"category":"summary","text":"TP-Link routers, Archer C5 and WR710N-V1, using the latest software, the strcmp function used for checking credentials in httpd, is susceptible to a side-channel attack. By measuring the response time of the httpd process, an attacker could guess each byte of the username and password."}],"cve":"CVE-2022-4499","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#572615"}]}],"product_tree":{"branches":[]}}