Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Multiple product vulnerabilities: all TP-Link "2-series" switches, all TP-Link VxWorks-based product

From: kvnjs <kvnjs () riseup net>
Date: Tue, 30 Sep 2014 14:59:27 -0400
Vendor affected: TP-Link (http://tp-link.com)

Products affected:
  * All TP-Link VxWorks-based devices (confirmed by vendor)
  * All "2-series" switches (confirmed by vendor)
  * TL-SG2008 semi-managed switch (confirmed by vendor)
  * TL-SG2216 semi-managed switch (confirmed by vendor)
  * TL-SG2424 semi-managed switch (confirmed by vendor)
  * TL-SG2424P semi-managed switch (confirmed by vendor)
  * TL-SG2452 semi-managed switch (confirmed by vendor)

Vulnerabilities:
  * All previously-reported VxWorks vulnerabilities from 6.6.0 on;
    at the very least:
    * CVE-2013-0716 (confirmed by vendor)
    * CVE-2013-0715 (confirmed by vendor)
    * CVE-2013-0714 (confirmed by vendor)
    * CVE-2013-0713 (confirmed by vendor)
    * CVE-2013-0712 (confirmed by vendor)
    * CVE-2013-0711 (confirmed by vendor)
    * CVE-2010-2967 (confirmed by vendor)
    * CVE-2010-2966 (confirmed by vendor)
    * CVE-2008-2476 (confirmed by vendor)
  * SSLv2 is available and cannot be disabled unless HTTPS is
    completely disabled (allows downgrade attacks)
    (confirmed by vendor)
  * SSL (v2, v3) offers insecure cipher suites and HMACs which cannot
    be disabled (allows downgrade attacks)
    (confirmed by vendor)

Design flaws:
  * Telnet is available and cannot be disabled (confirmed by vendor)
  * SSHv1 enabled by default if SSH is enabled (confirmed by vendor)

Vendor response:
  TP-Link are not convinced that these flaws should be repaired.

  TP-Link's Internet presence -- or at least DNS -- is available only
  intermittently. Most emails bounced. Lost contact with vendor, but
  did confirm that development lead is now on holiday and will not
  return for at least a week.

  Initial vendor reaction was to recommend purchase of "3-series"
  switches. Vendor did not offer reasons why "3-series" switches would
  be more secure, apart from lack of telnet service. Vendor confirmed
  that no development time can be allocated to securing "2-series"
  product and all focus has shifted to newer products.

  (TL-SG2008 first product availability July 2014...)

  Vendor deeply confused about security of DES/3DES, MD5, claimed that
  all security is relative. ("...[E]ven SHA-1 can be cracked, they just
  have different security level.")

Fix availability:
  None.

Work-arounds advised:
  None possible. Remove products from network.


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: