Injection flaw discovered in TP-Link Archer AX21 (AX1800)

Cyber Attacks are common nowadays, one such occurred:

TP-Link Archer AX21 (AX1800) firmware versions before to 1.1.4 Build 20230219 include a command injection flaw identified as CVE-2023-1389. By inserting malicious code into the device’s online administration interface’s country form, this vulnerability enables an attacker to run any command they want on the target device. The flaw was contributed to the CVE® Programme, which detects, describes, and compiles information on publicly known cybersecurity flaws.

CVE-2023-1389 was used in attack attempts that were discovered in the wild after the vulnerability’s remedy became known. The Mirai botnet and other online criminals have upgraded their toolkits to include this vulnerability. Attackers continue to take advantage of the vulnerability.

The description of this vulnerability is “Improper Neutralization of Special Elements used in a Command (‘Command Injection’)” and it is mentioned as a susceptible dependency in the National Vulnerability Database (NVD).

 

Root Cause Analysis:

CVE-2023-1389 was primarily caused by a command injection hole in the country form of the /cgi-bin/luci;stok=/locale endpoint on the online management interface of TP-Link Archer AX21 (AX1800) firmware versions prior to 1.1.4 Build 20230219, which is the version that was patched. The vulnerability arises from the fact that the nation parameter of the write operation was not sanitized before being used in a call to popen(). This makes it possible for an unauthenticated attacker to insert commands into a simple POST request to be executed by root.

 

Impact:

The nation form of the TP-Link Archer AX21 (AX1800) firmware contains a command injection vulnerability (VE-2023-1389) before 1.1.4 Build 20230219. It is evident that this flaw has been exploited in the wild because the Mirai botnet updated its toolset to include it. An attacker could use this issue to execute any code on the targeted system via remote code execution. This vulnerability is thought to be extremely risky and hazardous. The reducing “time-to-exploit” pace that is being witnessed throughout the industry is demonstrated by the speed at which this CVE was exploited after the patch was released. This problem has received a CVSS severity rating, which is a measure of how serious the vulnerability is.

 

Affected Software’s:

CVE-2023-1389 affects TP-Link Archer AX21 (AX1800) firmware versions prior to 1.1.4 Build 20230219. To mitigate the issue, update the firmware to version 1.1.4 Build 20230219 or later. Third-party firmware like as DD-WRT can be used to replace TP-Link devices, although it is suggested that official firmware be used to ensure the device’s security.

 

Detection and Response:

Exploit attempts exploiting CVE-2023-1389 were found in the wild on April 21, 2023. According to fresh attack attempts discovered by the Eastern European threat-hunting team of the Zero Day Initiative (ZDI), the Mirai botnet has updated its toolkit to include CVE-2023-1389. The flaw was fixed by TP-Link through a firmware update in March, but it wasn’t until this fix was made public that actual attack attempts employing this CVE were found. The severity of the vulnerability is critical. It is suggested to update the firmware to 1.1.4 Build 20230219 or later to lessen the vulnerability. The industry’s falling “time-to-exploit” pace is demonstrated by the quickness with which this CVE was exploited following the release of the patch.

 

 

Recommendation:

  1. Upgrade the TP-Link Archer AX21 (AX1800) firmware to latest stable version i.e. 1.1.4 Build 20230219 or later. It is also critical to implement vendor-issued remedies to mitigate the vulnerability.
  2. Maintain software updates: Install the most recent security patches and updates on a regular basis for your operating system, apps, and any other software used within your company. By doing this, it will be sure that known vulnerabilities are fixed and that attackers can’t exploit them.
  3. Use multi-factor authentication and strong passwords: Make sure that the passwords for all user accounts are strong and updated frequently. It’s also suggested to implement multi-factor authentication, which raises the bar for security.
  4. User access should only be granted to those systems and data that are necessary for them to carry out their assigned tasks. To stop attackers from getting unauthorized access to sensitive data, unused privileges should be removed.