Access tokens left live after administrator logoff - query around recent vulnerabilities

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Access tokens left live after administrator logoff - query around recent vulnerabilities

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Access tokens left live after administrator logoff - query around recent vulnerabilities
Access tokens left live after administrator logoff - query around recent vulnerabilities
2021-09-04 11:58:54
Model: Archer VR2100  
Hardware Version: V1
Firmware Version: 1.5.0 0.9.1 v009e.0 Build 210722 Rel.37847n

Hello,

 

I would like an proper response to the questions below. Can this be shunted up the line until someone capable of responding can do so please? I realise some of the questions are strategic and not technical, but, I need to see how importantly TP-Link takes this. The responses will tell & will inform my decision to stay or move to another manufacturer that does take security seriously.

 

I have questions around recently discovered vulnerabilities in TP-Link consumer hardware. They stem from this article: https://www.forbes.com/sites/daveywinder/2021/09/04/this-best-selling-router-includes-an-alarming-security-surprise/

 

Whilst the article specifically mentions the C50, my queries revolve around the shared nature of the OS software that underpins many models offered by one manufacturer.

Of the 24 vulnerabilities found, 7 were classed as 'most likely present', some of which were then detailed:

  • CVE-2016-4805, CVE-2010-4160 open the door to potential denial of service attacks against the router.
  • CVE-2014-4943, CVE-2014-3158 could enable an attacker to gain network privileges.
  • CVE-2021-22876 has the potential to leak credentials.
  • CVE-2020-8285 might allow an attacker to steal user data.
  • CVE-2020-36254 provides a method of bypassing access restrictions.

 

1) Given the oldest of those detailed dates from 2014, does TP-Link take security seriously? The pandemic, coupled with changes in working practices have highlighted the need for increasingly robust network devices at home. We are over a year on from the start, and nobody sat down to review security?

2) Having access tokens still live after administrator logoff; this specific issue resolved across the device landscape?

3) Is there a security audit cycle present within the company / product life cycle at all?

4) What is the company's policy on supporting devices once released? How does this policy work with the V1,V2,V3 release cycles?

5) Are end-of-life devices clearly marked on the website?

6) Can you make the V1, V2, V3 more visible on your packaging? This will kill demand for older devices, but, this is your problem, not a customer problem (which you are making it at the moment). Either that, or work out a new supply chain / product life cycle strategy (maybe both).

 

To anyone still reading this:

a) If you just run a home network for the family and your router allows it, turn on automatic updates. This helps keep your family safe, so long as TP-Link so their side of the deal and regularly reviews vulnerabilities, and how they relate to their devices. It's still worth setting this.

b) If your router doesn't have auto-update, build this check into your monthly/weekly routine. Go check now and update after backing up your router configuration.

c) If you run internet-facing services at home, build this check into your change management for that  service.

 

d) If you're buying a router, take a look at the manufacturer's security stance. Look for information on the frequency of updates. If there isn't any, ask. If you don't get an answer, then you know what to do. Only reward those that are willing to engage. Security isn't something to take lightly these days; this quicker manufacturers realise this, the better. Unfortunately, a lot of change will only happen if we, the consumers, tell them, through our purchasing habits.

 

Kind regards,

Mike

  2      
  2      
#1
Options
3 Reply
Re:Access tokens left live after administrator logoff - query around recent vulnerabilities
2021-09-07 02:31:42 - last edited 2021-09-07 03:17:16

@MikeFdes 

Thank you very much for your feedback.

I have forwarded this post as well the original blog on Forbes to the engineers already.

There would be an update as soon as possible.

 

  0  
  0  
#2
Options
Re:Access tokens left live after administrator logoff - query around recent vulnerabilities
2021-10-13 15:17:09

@MikeFdes 

 

Good afternoon,

 

This issue has now been pending for a month. I think it's reasonable for some sort of a solution (whatever that may be) to be formulated and disseminated, within that time. Can someone please come back with an answer?

 

I would hope that TP Link takes security seriously. Not responding doesn't give the desired impression.

 

My initial questions, whilst possibly not holistic, go a long way towards making sure that security is taken care of, and will put your customers' minds at ease. Please enage.

 

Kind regards,

Mike

  0  
  0  
#3
Options
Re:Access tokens left live after administrator logoff - query around recent vulnerabilities
2021-10-14 06:01:29

@MikeFdes 

Sorry for the delay.

Our senior engineers have confirmed that:

Archer C50 (V6.0) as well as other models, does not have the 39 known vulnerabilities mentioned by a source. In fact, these mentioned vulnerabilities refer to the security risks of certain codes in an entire open-source codebase. Archer C50 (V6.0), however, does not call the codes in question that have security risks.

Please refer to the email for more details.

Thank you very much.

  0  
  0  
#4
Options