Archer A2300 - Firewall opening ports w/o authorization

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Archer A2300 - Firewall opening ports w/o authorization

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Archer A2300 - Firewall opening ports w/o authorization
Archer A2300 - Firewall opening ports w/o authorization
2019-12-02 15:59:25 - last edited 2019-12-02 16:07:10
Model: Archer A2300  
Hardware Version: V1
Firmware Version: 2.0.2 20180123 73741

 

Hey guys,
 

TL:DR - This morning, I noticed that my Archer A2300 had opened/forwarded a single port to an internal server without my authorization. The logs give no indication of this ever happening. A reboot of the router had no effect. Disabling port forwarding (destined for another port/machine), then re-enabling it, seems to have fixed the issue.
 

Longer version - I have been using an Archer A2300 on one of my networks for about two years now. The network in question is connected to a small virtualized lab hosting a handful of virtual machines, along with some Docker containers which host a number of services for internal use.
 

The only port I have explicitly open/forwarded on the A2300 is 1195/udp, which forwards internally to 10.10.10.5 on port 1195. This is a VPN server and serves as the only means of accessing my internal services while working remotely. There are currently no machines residing in the DMZ and no other ports have been explicitly opened or forwarded. Remote management and all other unneeded/insecure services have been disabled.
 

The server that was exposed this morning resides at 10.10.10.10 and the open port was 8096/tcp, which is a Jellyfin media server. I was made aware of this after receiving an email from my NIDS stating a large number of connections and unsuccessful authorization attempts were happening on this machine. The router's WebUI did not indicate that this port was opened or forwarded. The logs had no mention of same. It was confirmed opened and responsive via an nmap scan, and then by requesting the site (http://<WAN-IP>:<PORT>/), both from an off-site machine.
 

As a security analyst, this troubles me. I see no evidence of tampering or any sort of breach on any of my machines. It appears that there may be a bug in the A2300 firmware that wrongly opens/forwards ports when certain triggers are met. I'm working now to try and replicate the issue in the hopes of figuring out why this is happening and to help others in the community from experiencing the same issue.
 

If anyone else has experienced this, has questions or anything at all, I'm all ears.

ETA: Attached a network topo. Should give an idea of why a glitch like this bothers me.

https://i.imgur.com/NxIYyTw.png

  0      
  0      
#1
Options
1 Reply
Re:Archer A2300 - Firewall opening ports w/o authorization
2020-07-07 14:52:12

Well, it doesn't appear that anyone on this forum gives a damn but I wanted to point out that this has happened 5 more times since I created this thread last December.

It happened again today and after seeing yet another wave of (thankfully unsuccessful) attacks on the ports that should be firewalled, I'm replacing the router and avoiding TP-link products in the future. I'll be telling my clients to avoid them as well.

 

For what it's worth, I will also be reverse engineering the router's firmware to locate the issue(s) myself and will be posting the results publicly.

  0  
  0  
#3
Options