Security researchers identified a critical security vulnerability in the TP-Link Archer C5400X gaming router, which could easily allow remote code execution through specially crafted requests.
The flaw has been tracked as CVE-2024-5035, and is assigned the highest possible severity score of 10.0 by the Common Vulnerability Scoring System (CVSS). All firmware versions up to and including 1_1.1.6 are affected by the flaw. Fortunately, TP-Link has addressed this issue in firmware version 1_1.1.7, which was released on May 24, 2024.
CVE-2024-5035 Technical Details
According to a report by German cybersecurity firm ONEKEY, exploiting CVE-2024-5035 enables remote unauthenticated attackers to gain arbitrary command execution on the targeted device with elevated privileges. The vulnerability stems from a binary related to radio frequency testing, known as “rftest,” which launches at startup and opens a network listener on TCP ports 8888, 8889, and 8890. Shortly said, this exposure allows remote attackers to execute code on the device.
The network service in question is designed to accept commands that start with “wl” or “nvram get.” However, ONEKEY discovered that attackers can easily circumvent this restriction just by injecting commands after shell meta-characters like ;, &, or |. For instance, a command such as “wl;id;” could exploit this vulnerability.
How is this critical issue fixed? TP-Link’s fix in version 1_1.1.7 Build 20240510 addresses the issue by discarding any command containing these special characters. This measure effectively neutralizes the exploit, preventing unauthorized code execution.
Broader Security Context
This disclosure follows recent reports of similar security vulnerabilities in other networking devices. Some notable security flaws were also identified in Delta Electronics DVW W02W2 industrial Ethernet routers (CVE-2024-3871) and Ligowave networking gear (CVE-2024-4999). These vulnerabilities, like the one in the TP-Link Archer C5400X, could enable remote attackers to execute commands with elevated privileges. Unfortunately, these devices are no longer actively maintained, leaving them unpatched and vulnerable.
Recommendations
All TP-Link Archer C5400X gaming router users should update their firmware to version 1_1.1.7 immediately to mitigate CVE-2024-5035. Users of the affected Delta Electronics and Ligowave devices should take steps to limit exposure of administration interfaces to minimize the potential for exploitation, given that no patches will be provided.