SRC-2023-0003 : TP-Link Archer AX20/AX21 minidlnad db_dir Remote Code Execution Vulnerability
CVE ID: CVE-2023-28760
CVSS Score: 8.8, (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Vendors: TP-Link
Affected Products: TP-Link Archer AX20, TP-Link Archer AX21 (Firmware 2.1.6 Build 20220128)
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer AX20 and AX21 routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the misconfiguration of the db_dir mindlnad setting. The issue results from the control of the minidlnad database file. An attacker can leverage this vulnerability to trigger a known stack based buffer overflow and execute code in the context of root.
TP-Link has issued an update to correct this vulnerability. More details can be found at: https://www.tp-link.com/us/support/download/archer-ax20/#Firmware
2023-02-04 – Sent to TP-Link Support
2023-03-12 – Sent follow up email inquiring about the status of the report
2023-03-17 – Received a reply stating the firmware has been patched
2023-03-18 – Sent a followup email inquiring about a public advisory to inform their customers
2023-03-21 – TP-Link support state that they cannot provide any security advisory and suggests that Source Incite remind users to upgrade to the latest firmware
2023-03-27 – Coordinated public release of advisory in order to remind users of an upgrade
Proof of Concept: /pocs/src-2023-0003.py.txt
Credit: This vulnerability was discovered by Rocco Calvi and Steven Seeley of Incite Team