SRC-2023-0003 : TP-Link Archer AX20/AX21 minidlnad db_dir Remote Code Execution Vulnerability

CVE ID: CVE-2023-28760

CVSS Score: 8.8, (/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Vendors: TP-Link

Affected Products: TP-Link Archer AX20, TP-Link Archer AX21 (Firmware 2.1.6 Build 20220128)

Vulnerability Details:

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer AX20 and AX21 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the misconfiguration of the db_dir mindlnad setting. The issue results from the control of the minidlnad database file. An attacker can leverage this vulnerability to trigger a known stack based buffer overflow and execute code in the context of root.

Vendor Response:

TP-Link has issued an update to correct this vulnerability. More details can be found at: https://www.tp-link.com/us/support/download/archer-ax20/#Firmware

Disclosure Timeline:

• 2023-02-04 – Sent to TP-Link Support

• 2023-03-12 – Sent follow up email inquiring about the status of the report

• 2023-03-17 – Received a reply stating the firmware has been patched

• 2023-03-18 – Sent a followup email inquiring about a public advisory to inform their customers

• 2023-03-21 – TP-Link support state that they cannot provide any security advisory and suggests that Source Incite remind users to upgrade to the latest firmware

• 2023-03-27 – Coordinated public release of advisory in order to remind users of an upgrade

Proof of Concept: /pocs/src-2023-0003.py.txt

Credit: This vulnerability was discovered by Rocco Calvi and Steven Seeley of Incite Team