CVE-2022-46434

An attacker with a privileged network position (obtained via ARP spoofing, DNS spoofing, or similar techniques) intercepts the firmware upload session between the user and the TP-Link TL-WA7510N device [ref_id=1]. The firmware is delivered over plain HTTP with no cryptographic protection, and the device performs only MD5 checksum verification without any digital signature check [ref_id=1]. The attacker replaces several bytes in the kernel (e.g., 4 bytes at address range 0x207A0–0x207A3) with arbitrary values, recalculates the MD5 checksums in the firmware headers, and substitutes the crafted image for the legitimate one during upload [ref_id=1]. The device's verification function accepts the modified image because the checksums match, resulting in arbitrary code execution or denial of service [ref_id=1].

The firmware verification function `upgradeFirmware` (decompiled in the advisory) calls `md5_verify_digest` to compare the image's MD5 checksum against the header value, but performs no cryptographic signature verification [ref_id=1]. The firmware image structure is [header, bootloader, header, kernel, rootfs], with each header containing an MD5 checksum that can be recalculated by an attacker [ref_id=1].

No patch is provided in the bundle. The advisory recommends that firmware updates be delivered over a cryptographically protected channel (e.g., HTTPS) and that the firmware image include a digital signature verified by the device before installation [ref_id=1]. Without these measures, an attacker who can intercept network traffic can trivially replace the firmware and recalculate its MD5 checksums to pass the existing integrity check [ref_id=1].