The source of the issue is a radio frequency testing binary called "rftest" that is opened at startup and exposes a network listener on TCP ports 8888, 8889, and 8890, making it possible for an unauthenticated remote attacker to execute malware. Researchers discovered that despite the network service's restriction to only accept instructions that begin with "wl" or "nvram get", the restriction could be easily circumvented by inserting a command after shell meta-characters like ;, &, or | (e.g., "wl;id;").

The issue is addressed by TP-Link's implemented fix in version 1_1.1.7 Build 20240510, which discards any command that contains these special characters. It appears that TP-Link had to find a quick and affordable solution to the problem of providing a wireless device configuration API. As a result, they revealed what was purported to be a restricted shell over the network that clients inside the router could use to configure wireless devices.

The revelation comes a few weeks after researchers discovered vulnerabilities in LigoWave networking equipment (CVE-2024-4999) and Delta Electronics DVW W02W2 industrial Ethernet routers (CVE-2024-3871) that might provide remote attackers elevated privileges and remote command execution. Users must take appropriate action to limit the exposure of administration interfaces to lessen the potential for exploitation, as these devices are no longer being maintained and are therefore still unpatched.

Impact

• Remote Code Execution
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2024-5035

Affected Vendors

Remediation

• Refer to the TP-Link Website for patch, upgrade, or suggested workaround information.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Immediately change default passwords on IoT devices to unique ones.
• Keep devices' firmware and software up to date to ensure that known vulnerabilities are patched.
• Isolate IoT devices from critical systems by segmenting your network.
• Implement firewalls and intrusion detection systems to monitor and control traffic to and from IoT devices.
• Employ tools that can identify unusual behavior or traffic patterns that might indicate a DDoS attack or a compromised device.
• Disable any unnecessary services or features on IoT devices to reduce their attack surface.
• Follow security best practices, such as disabling remote management if not needed and enabling security features provided by the device manufacturer.
• Deploy intrusion detection and prevention systems (IDS/IPS) to monitor for anomalous or malicious network activity.
• Set up alerts for unusual traffic patterns that might indicate a DDoS attack or a compromised device.