A vulnerable HTTP Basic Authentication process in TP-Link routers, Archer C5 and WR710N-V1, is susceptible to either a DoS or an arbitrary code execution via any interface.

Vulnerability

A heap-based buffer overflow exists in the httpd daemon of TP-Link routers WR710N-V1-151022 (firmware 2015-10-22) and Archer-C5-V2-160201 (firmware 2016-02-01) when processing HTTP Basic Authentication requests. The vulnerability is triggered by a crafted packet sent to the HTTP service, corrupting heap memory. No authentication is required to reach the vulnerable code path. [1]

Exploitation

An unauthenticated remote attacker can send a specially crafted HTTP Basic Authentication request to the router's httpd service. The malformed input causes a heap overflow, which can lead to a denial of service (crash of the httpd process) or, with further memory manipulation, arbitrary code execution. No user interaction or prior access is needed. [1]

Impact

Successful exploitation allows the attacker to either crash the httpd daemon (denial of service) or execute arbitrary code with the privileges of the httpd process, typically root on these embedded devices. This can result in full compromise of the router, including data exfiltration, network pivoting, or persistent control. [1]

Mitigation

As of the publication date (2023-01-11), TP-Link has not released a firmware update to address this vulnerability. The CERT/CC is currently unaware of a solution. Users should consider restricting remote access to the router's management interface, using a firewall to block untrusted sources, or replacing the device if possible. [1]