See this post: https://community.tp-link.com/en/business/forum/topic/150035

Hi LorisAlbanese,

I'm in a hurry because I wait since June last year for fixes to a root exploit I did discover when EAP Controller v2.4.7, first version for Linux, was released. Back then, I informed TP-Link about those holes and did sent them a modified start/stop script, which fixed at least the root exploit.

You can even find those postings from June 2017 here in the forum in the discussion about the missing Privilege Separation in previous versions of EAP Controller.

From what I saw now, the attack vector for Privilege Escalation has been finally fixed by TP-Link in v2.7.0, although I don't know (yet), wether Privilege Separation will be introduced by the official v2.7.0 or wether TP-Link just closed the attack vector (port 1099, Java RMI) visible to the outside. We will see.

That's why I'm in a hurry - our company has deployed EAP Controller on a public Internet server. It has been reported that the root exploit was successfully used by hackers on at least two servers I know of, one of these a server of my customer. So the early adaption of my fixes could help to mitigate those attacks after the systems had been restored. 

Other security fixes from TP-Link appeared in EAP Controller v2.6.1, which unfortunately was available only for Windows, so I made a Linux version. In detail, those security-related bugs, which were already openly discussed in hacker forums, were supposedly fixed in v2.6.1:

CVE-2018-10164: Cross-site scripting (XSS) vulnerability via portalPictureUpload

CVE-2018-10165: Cross-site scripting (XSS) vulnerability via local user creation functionality

CVE-2018-10166: Cross Site Request Forgery vulnerability in authentication tokens

CVE-2018-10167: Hard-coded cryptographic key attack vector

CVE-2018-10168: Privilege Escalation attack vector

I strongly urge anyone running EAP Controller < v2.7.0 on Linux or < 2.6.1 on Windows to upgrade to Omada Controller v2.7.0 and JRE8 as fast as possible. Exception: the community version of EAP Controller v2.6.1 for Linux is relatively safe already.

miked315 wrote

I contacted support asking about 2.7.0 for Linux and they said it would be 1-3 months, I hope that's not true.

I did wait months until the release of the first Linux version 2.4 (from 2016 to July 2017) only to discover that it missed Privilege Separation.

As did version 2.5 of November 2017.

Why don't you use the community version of Omada Controller 2.7.0 for Linux in the meantime?

Its start/stop script for Linux has been tested and constantly improved for more than a year now (precisely, I published the first version of tpeap in the old forum at 2017-07-21 already, just few days after the first Linux version 2.4.7 appeared).

Remaining files are original Java files - very same as in the Windows version - and latest Open Source version of mongodb and Oracle's JRE 8 both to be downloaded from their official repositories (Debian / Devuan / Raspbian / Ubuntu / Fedora / Slackware / Oracle / younameit).