Home

TP-Link TL-WR840N V5(EU) and v6.20(EU) UART shell

#TPLINK, #CVE, #UARTSHELL

Last Modified: 2022.05.25.

Advisory

Obtaining root privileges on devices with physical access can be complicated and simple.

A hardware manufacturer is expected to disable hardware debugging interfaces in the end product of commercial products. Unfortunately, many manufacturers do not do this. It would be good to get manufacturers to pay more attention to security.

UART is also one such interface. It is a security issue in itself if it remains enabled. So-called UART shells can be restricted in many ways. It is recommended to set at least password protection.

For a long time, I thought it was not worth reporting such vulnerabilities because in most cases no one cares.

I have noticed that such vulnerabilities in network devices such as routers have recently begun to be reported. (Example: https://nvd.nist.gov/vuln/detail/CVE-2021-23147)

Because the TP-Link TLWR840N EU v6.20 is still available in stores, I have decided to report the vulnerability as well.

TP-Link TLWR840N EU v5/v.620 does not have sufficient protection for the UART console. A malicious actor with physical access to the device is able to connect to the UART port via a serial connection and execute commands as the root user without authentication.

Model: TP-Link TL-WR840N EU v5
Model: TP-Link TL-WR840N EU v6.20

Hardware setup with an FT232 device:

3

# check serial port
screen /dev/tty.usbserial-AB0LR7NH 115200

interactive admin/root shell without password:

2

Notes

I reported it to the TP-Link security team and as I know they will not fix the issue.

I would like to say thank you to the TP-Link Security Team.

Timeline

It is difficult to say an exact timeline in this case because it has been reported separately along with other vulnerabilities.

© 2019-2022 Kamill√≥ Matek (<ᚫᛗIᛚᛚᛟ) All Rights Reserved