Wednesday, January 27, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Google security engineer discloses zero-day flaw in TP-Link smart home routers

March 29, 2019
in Internet Security
Google security engineer discloses zero-day flaw in TP-Link smart home routers
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Google Project Zero accuses Linux of sloppy kernel patching
Project Zero accuses Linux distributions of leaving users exposed to known kernel vulnerabilities for weeks.

A zero-day vulnerability impacting TP-Link SR20 smart home routers has been exposed publicly after the company allegedly failed to respond to a researcher’s private disclosure.

You might also like

Predictive policing is just racist 21st century cyberphrenology

10-years-old Sudo bug lets Linux users gain root-level access

F5 Networks fiscal Q1 revenue, profit beat expectations, revenue outlook higher as well

Matthew Garrett, a Google security engineer, revealed the bug after the company failed to fix the issue within 90 days, a timeframe now established within cybersecurity which is considered to be a reasonable amount of time offered to vendors to fix reported security issues.

The security flaw is a zero-day arbitrary code execution (ACE) bug in TP-Link SR20 routers, which are dual band 2.4 GHz / 5 GHz products touted as routers suitable for controlling smart home and Internet of Things (IoT) devices while lessening the risk of bottlenecks. 

The SR20 also supports devices which make use of the ZigBee and Z-Wave protocols.

As documented in this Twitter conversation feed, Garrett disclosed his findings to TP-Link over 90 days ago via the firm’s online security disclosure form.

Despite TP-Link promising researchers they would hear back within three business days, weeks later, there was no response. Attempts to contact TP-Link through other channels also failed.  

CNET: DEA phone record collection program needs further review, DOJ says

According to Garrett, the problem lies in a process that TP-Link routers frequently run called “tddp,” the TP-Link Device Debug Protocol. This process runs at a root level and can initiate two forms of commands; one type which does not require authentication — type one — and one which does, categorized as type two.

The SR20 router vulnerability exposes some type one commands, one of which — command 0x1f, request 0x01 — appears to be for configuration validation.

“You send it a filename, a semicolon and then an argument,” the security engineer says. “The router then connects back to the requesting machine over TFTP, requests the filename via TFTP, imports it into a LUA interpreter and passes the argument to the config_test() function in the file it just imported. The interpreter is running as root.”

TechRepublic: Unpatched vulnerability in MikroTik RouterOS enables easily exploitable denial of service attack

The os.execute() method will then permit an attacker to run as root as execute whatever they wish on a local network, which could result in the full hijack of a vulnerable device.

“Stop shipping debug daemons on production firmware and if you’re going to have a web form to submit security issues then have someone actually respond to it,’ Garrett added, in relation to TP-Link.

See also: Hijacked ASUS Live Update software installs backdoors on countless PCs worldwide

Further technical details concerning the vulnerability have been published in a blog post written by the security engineer. Proof-of-concept (PoC) code has also been released.

TP-Link’s situation is not the only router-related security issue to appear this week. Cisco has also ended up in the hot seat after failing to properly patch Cisco RV320 and RV325 WAN VPN routers against remote attacks. 

ZDNet has reached out to TP-Link and will update if we hear back. 

Previous and related coverage


Credit: Source link

Previous Post

Here's the List of ~600 MAC Addresses Targeted in Recent ASUS Hack

Next Post

Machine Learning Professionals Need Degree!(?) – Becoming Human: Artificial Intelligence Magazine

Related Posts

Predictive policing is just racist 21st century cyberphrenology
Internet Security

Predictive policing is just racist 21st century cyberphrenology

January 27, 2021
10-years-old Sudo bug lets Linux users gain root-level access
Internet Security

10-years-old Sudo bug lets Linux users gain root-level access

January 27, 2021
F5 Networks fiscal Q1 revenue, profit beat expectations, revenue outlook higher as well
Internet Security

F5 Networks fiscal Q1 revenue, profit beat expectations, revenue outlook higher as well

January 27, 2021
Apple fixes another three iOS zero-days exploited in the wild
Internet Security

Apple fixes another three iOS zero-days exploited in the wild

January 27, 2021
Firefox support for Flash ends on January 26
Internet Security

Firefox 85 removes Flash and adds protection against supercookies

January 27, 2021
Next Post
Machine Learning Professionals Need Degree!(?) – Becoming Human: Artificial Intelligence Magazine

Machine Learning Professionals Need Degree!(?) – Becoming Human: Artificial Intelligence Magazine

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Why 76% of enterprises are prioritising AI and machine learning in 2021 IT budgets – Cloud Tech
Machine Learning

Why 76% of enterprises are prioritising AI and machine learning in 2021 IT budgets – Cloud Tech

January 27, 2021
Predictive policing is just racist 21st century cyberphrenology
Internet Security

Predictive policing is just racist 21st century cyberphrenology

January 27, 2021
Apple Warns of 3 iOS Zero-Day Security Vulnerabilities Exploited in the Wild
Internet Privacy

Apple Warns of 3 iOS Zero-Day Security Vulnerabilities Exploited in the Wild

January 27, 2021
Airport Runway Foreign Object Debris (FOD) Detection System to bolster with Advancement in Sensor Technology!
Data Science

Airport Runway Foreign Object Debris (FOD) Detection System to bolster with Advancement in Sensor Technology!

January 27, 2021
New machine learning tool predicts schizophrenia
Machine Learning

New machine learning tool predicts schizophrenia

January 27, 2021
10-years-old Sudo bug lets Linux users gain root-level access
Internet Security

10-years-old Sudo bug lets Linux users gain root-level access

January 27, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Why 76% of enterprises are prioritising AI and machine learning in 2021 IT budgets – Cloud Tech January 27, 2021
  • Predictive policing is just racist 21st century cyberphrenology January 27, 2021
  • Apple Warns of 3 iOS Zero-Day Security Vulnerabilities Exploited in the Wild January 27, 2021
  • Airport Runway Foreign Object Debris (FOD) Detection System to bolster with Advancement in Sensor Technology! January 27, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates