CVE-2017-15629

Vulnerability

A command injection vulnerability exists in the pptp_client.lua file of TP-Link WVR, WAR, and ER devices. The new-tunnelname parameter is not properly sanitized before being passed to a system command, allowing remote authenticated administrators to inject arbitrary commands [1]. Affected firmware versions are not explicitly listed but include all devices running the vulnerable pptp_client.lua script.

Exploitation

An attacker must have valid administrative credentials to the device's web interface. By sending a crafted POST request to the pptp_client.lua endpoint with a malicious new-tunnelname parameter containing shell metacharacters (e.g., command substitution), the attacker can execute arbitrary system commands on the device [1]. No user interaction beyond authentication is required.

Impact

Successful exploitation enables an authenticated administrator to execute arbitrary commands with root privileges, resulting in full compromise of the device. This can lead to unauthorized access to network traffic, modification of device configuration, and use of the device as a pivot for further attacks [1].

Mitigation

As of the publication date (2018-01-11), no firmware update has been released to address this vulnerability [1]. Administrators should restrict remote management access to trusted IP addresses via firewall rules, disable the PPTP VPN feature if not required, and monitor device logs for suspicious activity. If the device is end-of-life, consider replacing it with a supported model that receives security updates.