CVE-2024-57049 Scanner

The TP-Link Archer C20 is a widely used router, often deployed in home and small office environments. It's known for its affordability and ease of setup, making it a popular choice among users seeking basic network connectivity. Its primary purpose is to facilitate internet access for multiple devices, supporting both wired and wireless connections. Small businesses might also use it for guest networks and to provide secure browsing experiences to employees and customers. However, due to its open-access nature, ensuring its firmware is up to date is crucial to protecting networks from unauthorized access.

The Authentication Bypass vulnerability within the TP-Link Archer C20 allows unauthorized users to bypass the authentication required to access administrative functions. This particular flaw is found in routers running firmware V6.6_230412 and earlier. Attackers exploit this by manipulating HTTP headers to trick the system into recognizing a malicious request as authenticated. The vulnerability presents a high risk, rated as critical due to the potential for full administrative access without proper credentials. This poses significant security risks as malicious actors can alter network configurations and gain further access to connected devices.

Technically, the vulnerability is exploited by adding a specific "Referer" HTTP header in requests sent to the router's '/cgi' directory. When the value 'http://tplinkwifi.net' is used in these headers, the router fails to check for valid authentication. This oversight in validating the header content allows attackers to exploit the router's web interface by bypassing the normal authentication flow. It's crucial for users to realize that any device exposed to the Internet can be targeted using this method, as attackers can execute this bypass remotely.

Exploitation of this vulnerability can lead to unauthorized access to the router's administration panel. Malicious actors could change network settings, which may involve disabling security measures, opening ports, or altering routing configurations. Additionally, they can observe and manipulate incoming and outgoing traffic, thus posing a privacy threat to users. The unauthorized access can serve as a launchpad for further attacks on devices within the network, complicating detection and mitigation efforts.

REFERENCES

• https://github.com/Shuanunio/CVE_Requests/blob/main/TP-Link/archer%%%%20c20/ACL%%%%20bypass%%%%20Vulnerability%%%%20in%%%%20TP-Link%%%%20archer%%%%20c20.md
• https://nvd.nist.gov/vuln/detail/CVE-2024-57049
• https://github.com/advisories/GHSA-qr32-fcm4-m5h9