The strcmp function in TP-Link routers, Archer C5 and WR710N-V1, used for checking credentials in httpd, is susceptible to a side-channel attack.

Vulnerability

The strcmp() function used for credential verification in the httpd daemon of TP-Link Archer C5 V2 (firmware version 160201) and WR710N-V1 (firmware version 151022) is susceptible to a side‑channel attack [1]. By measuring the response time of HTTP Basic Authentication requests, an attacker can byte-by-byte determine the username and password [1].

Exploitation

An attacker with network access to the router's HTTP management interface can send a series of crafted authentication requests. By measuring the timing differences in the httpd process response, each byte of the credentials can be guessed deterministically [1]. No authentication or user interaction on the target is required beyond the ability to reach the web interface.

Impact

Successful exploitation leads to the disclosure of the HTTP Basic Authentication credentials (username and password) [1]. With these credentials, the attacker gains administrative access to the router, which may allow further attacks, including configuration changes or enabling remote code execution via a related heap overflow vulnerability (CVE-2022-4498) [1].

Mitigation

As of the latest firmware available on January 11, 2023, TP-Link had not released a firmware update addressing this issue [1]. The CERT/CC is unaware of a vendor patch [1]. Users are advised to restrict network access to the router's management interface to trusted hosts only as a workaround.