CVE-2022-41505

Vulnerability

TP-Link Tapo C200 V1 devices have an access control issue that allows physically proximate attackers to obtain root access. The vulnerability lies in the UART interface, where an attacker can interrupt the boot process and modify kernel command-line parameters. This affects TP-Link Tapo C200 V1 hardware versions [1].

Exploitation

An attacker with physical access to the device can expose the UART pins, connect a USB-to-TTL converter, and access the serial console. During boot, the attacker presses a key to stop the autoboot process, gaining access to the U-Boot shell. The attacker then sets the init environment variable to "/bin/sh" using the command setenv init=/bin/sh and executes the bootcmd to boot the device, resulting in a root shell [1].

Impact

Successful exploitation grants the attacker a root shell, allowing complete control over the device. This includes the ability to extract firmware, modify system files, and execute arbitrary commands. The attacker can also dump the contents of the flash chip to an SD card for offline analysis [1].

Mitigation

As of the available references, no official patch or mitigation has been released by TP-Link. Physical access control is the primary defense; ensure devices are in secure locations. Users should consider using updated firmware if available or replace the device if security is critical [1].