TP-Link Omada System Vulnerabilities Could Lead to Root Access

• Security researchers have discovered several critical flaws in the TP-Link Omada system that could lead to root access.
• Twelve vulnerabilities were identified, including buffer overflow, command execution, and denial of service.
• These were reported to the vendor and now have patches available that users can apply.

Security researchers at Cisco Talos have discovered and helped patch 12 unique vulnerabilities in the TP-Link Omada system that could lead to remote code execution (RCE), denial of service (DoS), arbitrary command injection, and more.

The TP-Link Omada system is a software-based networking solution for small to medium businesses. Devices in this ecosystem include wireless access points, routers, switches, VPN devices, and hardware controllers for the Omada software. 

Cisco Talos researchers focused on a small subset of the available devices, including the EAP 115 and EAP 225 wireless access points, the ER7206 gigabit VPN router, and the Omada software controller. 

Many TP-Link devices use TDDP, TP-Link’s Device Debug Protocol, which remotely services the device and is only open during the first 15 minutes of a device’s runtime. However, various functions on the device are exposed during these 15 minutes, seemingly directly related to factory testing.

CVE-2023-49906 and CVE-2023-49913 (TALOS-2023-1888) are stack-based buffer overflow vulnerabilities in the Radio Scheduling functionality that can lead to remote code execution via a specially crafted series of HTTP requests. CVE-2023-48724 (TALOS-2023-1864) permits memory corruption via DoS of a TP-Link device's Web interface using a specially crafted HTTP POST request. 

CVE-2023-49133 and CVE-2023-49134 (TALOS-2023-1862) in the tddpd enable_test_mode functionality permit arbitrary command execution, while CVE-2023-49074 (TALOS-2023-1861) in the TDDP functionality allows resetting the device to its factory settings, and CVE-2023-47618 (TALOS-2023-1859) was seen in the Web filtering functionality of an Omada VPN router, permitting post-authentication command execution.

CVE-2023-47617 (TALOS-2023-1858) and CVE-2023-46683 (TALOS-2023-1857) affect the VPN router and can lead to arbitrary command injection when configuring the Web group member and WireGuard, respectively.

CVE-2023-42664 (TALOS-2023-1856) and CVE-2023-47167 (TALOS-2023-1855) are post-authentication command injection vulnerabilities in the VPN router that appear when setting up the PPTP global configuration and in the GRE policy functionality, respectively.

CVE-2023-47209 (TALOS-2023-1854), CVE-2023-36498 (TALOS-2023-1853), and CVE-2023-43482 (TALOS-2023-1850) permit arbitrary command injection via the IPsec policy, the PPTP client, and the guest resource functionalities on the VPN router, respectively.