Several TP-Link routers have been found to be vulnerable to webpage based DNS hijacking attacks. Worryingly the researcher who uncovered information about this vulnerability, Jacob Lell, has also found “an active exploitation campaign,” aimed at the affected TP-Link routers. Meanwhile TP-Link has released updated firmware for some but not all of its affected networking hardware.
There have been many router exploits before, however this newly reported TP-Link exploit looks more immediately serious as Mr Lell has found “five different instances of the exploit on unrelated websites so far”. An automated client honeypot system set up by Lell generated “some 280 GB of web traffic”. The five unrelated instances of the exploit he found tried to change the primary nameserver to three different IP addresses.
The affected TP-Link routers have something called a CSRF vulnerability. These routers allow access to their web-based administration page using HTTP authentication. “When entering the credentials to access the web interface, the browser typically asks the user whether he wants to permanently store the password in the browser. However, even if the user doesn’t want to permanently store the password in the browser, it will still temporarily remember the password and use it for the current session,” explains Lell.
If a user then visits a compromised site, like one of the five discovered so far, the site attempts to “change the upstream DNS server of the router to an attacker-controlled IP address, which can then be used to carry out man-in-the-middle attacks,” says Lell. After that DNS change web addresses typed in by the user can be easily redirected to phishing sites and similar places you wouldn’t ordinarilty want to visit. Also, among many other consequences, software updates can be blocked and email accounts hijacked.
The following devices are confirmed to be vulnerable:
- TP-Link WR1043ND V1 up to firmware version 3.3.12 build 120405 is vulnerable (version 3.3.13 build 130325 and later is not vulnerable)
- TP-Link TL-MR3020: firmware version 3.14.2 Build 120817 Rel.55520n and version 3.15.2 Build 130326 Rel.58517n are vulnerable (but not affected by current exploit in default configuration)
- TL-WDR3600: firmware version 3.13.26 Build 130129 Rel.59449n and version 3.13.31 Build 130320 Rel.55761n are vulnerable (but not affected by current exploit in default configuration)
- WR710N v1: 3.14.9 Build 130419 Rel.58371n is not vulnerable
- Some other untested devices are also likely to be vulnerable