It touts cloud-managed devices and local management for all Omada devices.
The supported devices in this ecosystem vary greatly but include wireless access points, routers, switches, VPN devices and hardware controllers for the Omada software.
Cisco Talos researchers have discovered and helped to patch several vulnerabilities in the Omada system, focusing on a small subset of the available devices, including the EAP 115 and EAP 225 wireless access points, the ER7206 gigabit VPN router, and the Omada software controller.
A specially crafted series of HTTP requests can lead to remote code execution.
A specially crafted HTTP POST request can lead to denial of service of the device's web interface.
A command execution vulnerability exists in the tddpd enable test mode functionality of the TP-Link AC1350 Wireless MU-MIMO Gigabit Access Point v5.1.0, build 20220926 and TP-Link N300 Wireless Access Point v5.0.4, build 20220216.
A specially crafted series of network requests can lead to arbitrary command execution.
A denial-of-service vulnerability exists in the TDDP functionality of the TP-Link AC1350 Wireless MU-MIMO Gigabit Access Point v5.1.0, build 20220926.
A specially crafted series of network requests could allow an adversary to reset the device back to its factory settings.
A specially crafted HTTP request can lead to arbitrary command execution.
A specially crafted HTTP request can lead to arbitrary command injection.
A specially crafted HTTP request can lead to arbitrary command injection, and allow an adversary to gain access to an unrestricted shell.
TDDP is the TP-Link Device Debug Protocol available on many TP-Link devices.
Only two versions of the TDDP service currently appear to be implemented on the target devices: 0x01 and 0x02. Of these, version 0x02 is the only one that contains any functionality of note.
In our target devices, only one request within version 0x01 was supported: tddp sysInit.
These mappings are specific to the targeted devices and may change from device to device.
Every TDDP request must contain an MD5 digest of the entire request, including the payload after it has been padded but before it has been encrypted.
While enabled during startup, TDDP can be used to factory reset the device through a single ENC CMD OPT request, passing a subtype code of 0x49 via the payload field.
TDDP can also be used to indirectly obtain root access on certain devices through one of the exposed TDDP commands, enableTestMode.
Sh script on that host, the device can be forced to execute any command as the root user immediately after the enableTestMode TDDP request is sent.
This Cyber News was published on blog.talosintelligence.com. Publication date: Wed, 26 Jun 2024 19:13:05 +0000