A vulnerability classified as very critical was found in TP-Link Archer AX21. This vulnerability affects the function popen of the file /cgi-bin/luci;stok=/locale of the component Web Management Interface. The manipulation of the argument country with an unknown input leads to a os command injection vulnerability. The CWE definition for the vulnerability is CWE-78. The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

The weakness was released 03/16/2023. The advisory is shared for download at tenable.com. This vulnerability was named CVE-2023-1389 since 03/14/2023. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 03/16/2023). The MITRE ATT&CK project declares the attack technique as T1202.

Upgrading to version 1.1.4 Build 20230219 eliminates this vulnerability.

Productinfo

Vendor

• TP-Link

Name

• Archer AX21

License

• commercial

CPE 2.3info

• 🔒

CPE 2.2info

• 🔒

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion