Deco base station quarantined?!

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Deco base station quarantined?!

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Deco base station quarantined?!
Deco base station quarantined?!
2019-06-30 18:06:46 - last edited 2019-07-01 17:02:16
Model: Deco M9 Plus  
Hardware Version:
Firmware Version: 1.2.8

So today, while being away from home, I get a notification saying that my deco m9 base station has been quarantined/blocked because of a SSL TLS FREAK with CBC Cipher TLS DHE RSA EXPORT WITH DES40 CBC SHA  =1.1

 

When I get back home, everything is seemingly working fine, and the base station is not blocked. i look this up on the internet and learn that this is a known “man in the middle” exploit... Since, no one was at home at the time, I am curious/corcened as to how this could happen.

 

Should I have reason to be concerned, and how do I fix a potential issue?

 

Thanks,

Toby

  0      
  0      
#1
Options
12 Reply
Re:Deco base station quarantined?!
2019-07-02 07:28:06

Hi,

 

Because the SSL protocol is old/out of date so that it is quarantined when the specific device access the Deco M9.

 

You can get this device via its MAC address showing in the antivirus history page and update it.

 

Good day. 

 

 

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Connect TP-Link Archer BE550 to Germany's DS-Lite (Dual Stack Lite) Internet via WAN Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer AX55V2 Supports WireGuard VPN, EasyMesh Ethernet Backhaul, IoT Network, Speed Limit,and More If you found a post or response helpful, please click Helpful (arrow pointing upward icon). If you are the author of a topic, remember to mark a helpful reply as the "Recommended Solution" (star icon) so that others can benefit from it.
  0  
  0  
#2
Options
Re:Re:Deco base station quarantined?!
2019-07-02 08:23:43

Kevin_Z wrote

Hi,

 

Because the SSL protocol is old/out of date so that it is quarantined when the specific device access the Deco M9.

 

You can get this device via its MAC address showing in the antivirus history page and update it.

 

Good day. 

 

 

 

 

Hi, thanks.

 

However, the MAC address belongs to the Deco M9 base station (as shown in the anti-virus history!?). Does that mean the SSL protocol on the base station is out of date? And if so, how to fix that?

 

  0  
  0  
#3
Options
Re:Re:Re:Deco base station quarantined?!
2019-07-02 08:29:43

Hi. Could you please show us a screenshot of the notification you saw and the mac address on the antivirus history page?

 

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Connect TP-Link Archer BE550 to Germany's DS-Lite (Dual Stack Lite) Internet via WAN Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer AX55V2 Supports WireGuard VPN, EasyMesh Ethernet Backhaul, IoT Network, Speed Limit,and More If you found a post or response helpful, please click Helpful (arrow pointing upward icon). If you are the author of a topic, remember to mark a helpful reply as the "Recommended Solution" (star icon) so that others can benefit from it.
  0  
  0  
#4
Options
Re:Re:Re:Re:Deco base station quarantined?!
2019-07-02 10:01:23

Hi,

 

Yes please see below.

 

 

Thanks for the help!

 

 

  0  
  0  
#5
Options
Re:Re:Re:Re:Re:Deco base station quarantined?!
2019-07-03 08:33:34

Hi,

 

Thanks for your reply.

 

Per I said, the reason is that the SSL protocol of the specific device is out of date, while there may have some misunderstanding.

 

Cause the device will access the internet/server through the Deco itself, that is to say, the SSL packet sent by the specific device was transferred by the Deco finally, while the protocol version is old, been quarantined by the antivirus software when trying to access the internet/server.

 

Good day. 

 

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Connect TP-Link Archer BE550 to Germany's DS-Lite (Dual Stack Lite) Internet via WAN Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer AX55V2 Supports WireGuard VPN, EasyMesh Ethernet Backhaul, IoT Network, Speed Limit,and More If you found a post or response helpful, please click Helpful (arrow pointing upward icon). If you are the author of a topic, remember to mark a helpful reply as the "Recommended Solution" (star icon) so that others can benefit from it.
  0  
  0  
#6
Options
Re:Re:Re:Re:Re:Re:Deco base station quarantined?!
2019-07-03 09:04:15

Ok thanks. However, not sure I fully understand.

 

1) How can I know what specific device has the out-of-date SSL protocol when the Anti virus history says it is the Deco?

 

2) This happened at a time when noone was at home, so I dont know what device would try and establish a SSL connection all by itself. The only device that would still be at home at that time, could be an AppleTV but that would likely be sleeping - and does not have an out-of-date SSL protocol accoridng to the latest tvOS?

 

3) If indeed it was the AppleTv (or another device) why is it not the AppleTv that is blocked/quarantined, instead of the Deco itself? All other anti-virus alerts block the specific device (despite the device obsviously using the Deco to connect to the internet).

 

4) What is in quarantine now - the Deco or some other device? According to the MAC adress it should be the Deco...?!

 

5) How can I know for sure that the Deco has not been compromised?

 

6) What does the quarantine practically do? Will there be limited functionality? For how long will the Deco/device stay in quarantine?

 

This is still not very clear to me.

 

Thanks for your help.

 

 

  1  
  1  
#7
Options
Re:Re:Re:Re:Re:Re:Re:Deco base station quarantined?!
2019-07-03 12:35:08

Q. Why is my device quarantined?

Sometimes you may find in your Messages that your device is being quarantined, this situation may occur when your device is sending sensitive information or security threats out of your network.

To find out the reason why the device is quarantined, please click the “>” button on the Message.

The Quarantine will only prevent infected devices from sending sensitive information or security threats to clients. But secure packets will still be sent out. In other words, it does not affect the normal use of the device itself.

Sometimes when you see the device quarantined, you may not want it to be quarantined. Then you can turn off the option Infected Device Quarantine in Antivirus.

 

 

 

 

 

Not hugely clear and even still, everything points to the Deco being the source of the problem (else it would have the internal IP of the thing which needed quarantining or the external host of whomever is attacking. 

I suspect this is either a bug of the mislabling of the device,  or indeed the Deco itself has attempted to connect to something which is susecptable to the FREAK vuln :-/  either is far from ideal.  

Come on TPLink/Kevin.  lets be a bit more clear as to what the issue is here.

  1  
  1  
#8
Options
Re:Re:Re:Re:Re:Re:Re:Deco base station quarantined?!
2019-07-04 07:02:18

Hi Toby, 

 

I got your point, and that is what we worried about now.

 

Cause the current information is limited, our engineer will contact your later via email, if you are willing to do further troubleshooting, please check your inbox. 

 

Thanks for your cooperation and support in advance, have a nice day. 

 

Toby wrote

Ok thanks. However, not sure I fully understand.

 

1) How can I know what specific device has the out-of-date SSL protocol when the Anti virus history says it is the Deco?

 

2) This happened at a time when noone was at home, so I dont know what device would try and establish a SSL connection all by itself. The only device that would still be at home at that time, could be an AppleTV but that would likely be sleeping - and does not have an out-of-date SSL protocol accoridng to the latest tvOS?

 

3) If indeed it was the AppleTv (or another device) why is it not the AppleTv that is blocked/quarantined, instead of the Deco itself? All other anti-virus alerts block the specific device (despite the device obsviously using the Deco to connect to the internet).

 

4) What is in quarantine now - the Deco or some other device? According to the MAC adress it should be the Deco...?!

 

5) How can I know for sure that the Deco has not been compromised?

 

6) What does the quarantine practically do? Will there be limited functionality? For how long will the Deco/device stay in quarantine?

 

This is still not very clear to me.

 

Thanks for your help.

 

 

 

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Connect TP-Link Archer BE550 to Germany's DS-Lite (Dual Stack Lite) Internet via WAN Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer AX55V2 Supports WireGuard VPN, EasyMesh Ethernet Backhaul, IoT Network, Speed Limit,and More If you found a post or response helpful, please click Helpful (arrow pointing upward icon). If you are the author of a topic, remember to mark a helpful reply as the "Recommended Solution" (star icon) so that others can benefit from it.
  0  
  0  
#9
Options
Re:Re:Re:Re:Re:Re:Re:Re:Deco base station quarantined?!
2019-07-11 08:06:59 - last edited 2019-07-11 08:08:43

I have the same issue. Some checking showed me that the quarantined device is one of my Deco M9+ devices (MAC address matches). It happened about 5 times within the space of an hour, haven't seen it before or since.

 

The quarantine itself doesn't seem to impact anything though. Devices connected to the Deco device still have access and the app doesn't report any other issues.

 

Haven't added any screenshots as the ones above show EXACTLY what I see on mine. Same device name (different MAC obviously).

  0  
  0  
#10
Options
Re:Re:Re:Re:Re:Re:Re:Re:Re:Deco base station quarantined?!
2019-07-12 10:22:42

@TimmieG 

 

Your case is caused by that the SSL version of the link between Deco and web server is out of date.

Note: the SSL is to create a secure link between your Deco and web server(https, known as encrypted http)

We are going to move this rule away in our next firmware release and you won't be bothered anymore.

This will not cause any security threaten to your network and please be assured about that.

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Connect TP-Link Archer BE550 to Germany's DS-Lite (Dual Stack Lite) Internet via WAN Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer AX55V2 Supports WireGuard VPN, EasyMesh Ethernet Backhaul, IoT Network, Speed Limit,and More If you found a post or response helpful, please click Helpful (arrow pointing upward icon). If you are the author of a topic, remember to mark a helpful reply as the "Recommended Solution" (star icon) so that others can benefit from it.
  0  
  0  
#11
Options