Access tokens left live after administrator logoff - query around recent vulnerabilities
Hello,
I would like an proper response to the questions below. Can this be shunted up the line until someone capable of responding can do so please? I realise some of the questions are strategic and not technical, but, I need to see how importantly TP-Link takes this. The responses will tell & will inform my decision to stay or move to another manufacturer that does take security seriously.
I have questions around recently discovered vulnerabilities in TP-Link consumer hardware. They stem from this article: https://www.forbes.com/sites/daveywinder/2021/09/04/this-best-selling-router-includes-an-alarming-security-surprise/
Whilst the article specifically mentions the C50, my queries revolve around the shared nature of the OS software that underpins many models offered by one manufacturer.
Of the 24 vulnerabilities found, 7 were classed as 'most likely present', some of which were then detailed:
- CVE-2016-4805, CVE-2010-4160 open the door to potential denial of service attacks against the router.
- CVE-2014-4943, CVE-2014-3158 could enable an attacker to gain network privileges.
- CVE-2021-22876 has the potential to leak credentials.
- CVE-2020-8285 might allow an attacker to steal user data.
- CVE-2020-36254 provides a method of bypassing access restrictions.
1) Given the oldest of those detailed dates from 2014, does TP-Link take security seriously? The pandemic, coupled with changes in working practices have highlighted the need for increasingly robust network devices at home. We are over a year on from the start, and nobody sat down to review security?
2) Having access tokens still live after administrator logoff; this specific issue resolved across the device landscape?
3) Is there a security audit cycle present within the company / product life cycle at all?
4) What is the company's policy on supporting devices once released? How does this policy work with the V1,V2,V3 release cycles?
5) Are end-of-life devices clearly marked on the website?
6) Can you make the V1, V2, V3 more visible on your packaging? This will kill demand for older devices, but, this is your problem, not a customer problem (which you are making it at the moment). Either that, or work out a new supply chain / product life cycle strategy (maybe both).
To anyone still reading this:
a) If you just run a home network for the family and your router allows it, turn on automatic updates. This helps keep your family safe, so long as TP-Link so their side of the deal and regularly reviews vulnerabilities, and how they relate to their devices. It's still worth setting this.
b) If your router doesn't have auto-update, build this check into your monthly/weekly routine. Go check now and update after backing up your router configuration.
c) If you run internet-facing services at home, build this check into your change management for that service.
d) If you're buying a router, take a look at the manufacturer's security stance. Look for information on the frequency of updates. If there isn't any, ask. If you don't get an answer, then you know what to do. Only reward those that are willing to engage. Security isn't something to take lightly these days; this quicker manufacturers realise this, the better. Unfortunately, a lot of change will only happen if we, the consumers, tell them, through our purchasing habits.
Kind regards,
Mike