All the vulnerabilites related to tp-link - archer_c2_v1_firmware
cve-2019-13266
Vulnerability from cvelistv5
Published
2019-08-27 17:06
Modified
2024-08-04 23:49
Severity ?
EPSS score ?
Summary
TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. A DHCP Request is sent to the router with a certain Transaction ID field. Following the DHCP protocol, the router responds with an ACK or NAK message. Studying the NAK case revealed that the router erroneously sends the NAK to both Host and Guest networks with the same Transaction ID as found in the DHCP Request. This allows encoding of data to be sent cross-router into the 32-bit Transaction ID field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://orenlab.sise.bgu.ac.il/publications/CrossRouter | x_refsource_MISC | |
| https://www.usenix.org/system/files/woot19-paper_ovadia.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:49:23.866Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. A DHCP Request is sent to the router with a certain Transaction ID field. Following the DHCP protocol, the router responds with an ACK or NAK message. Studying the NAK case revealed that the router erroneously sends the NAK to both Host and Guest networks with the same Transaction ID as found in the DHCP Request. This allows encoding of data to be sent cross-router into the 32-bit Transaction ID field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-27T17:06:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13266",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. A DHCP Request is sent to the router with a certain Transaction ID field. Following the DHCP protocol, the router responds with an ACK or NAK message. Studying the NAK case revealed that the router erroneously sends the NAK to both Host and Guest networks with the same Transaction ID as found in the DHCP Request. This allows encoding of data to be sent cross-router into the 32-bit Transaction ID field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter",
"refsource": "MISC",
"url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
},
{
"name": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf",
"refsource": "MISC",
"url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13266",
"datePublished": "2019-08-27T17:06:10",
"dateReserved": "2019-07-04T00:00:00",
"dateUpdated": "2024-08-04T23:49:23.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-30383
Vulnerability from cvelistv5
Published
2023-07-18 00:00
Modified
2024-10-28 18:35
Severity ?
EPSS score ?
Summary
TP-LINK Archer C50v2 Archer C50(US)_V2_160801, TP-LINK Archer C20v1 Archer_C20_V1_150707, and TP-LINK Archer C2v1 Archer_C2_US__V1_170228 were discovered to contain a buffer overflow which may lead to a Denial of Service (DoS) when parsing crafted data.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:21:44.817Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://tplink.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tp-link.com/us/support/download/archer-c50/v2/#Firmware%29%2CTPLINK"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tp-link.com/us/support/download/archer-c2/v1/#Firmware"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tp-link.com/us/support/download/archer-c50/v2/#Firmware"
},
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/a2ure123/a4eda2813d85d8b414bb87e855ab4bf8"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:h:tp-link:archer_c50:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "archer_c50",
"vendor": "tp-link",
"versions": [
{
"status": "affected",
"version": "v2_160801"
}
]
},
{
"cpes": [
"cpe:2.3:h:tp-link:archer_c20:1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "archer_c20",
"vendor": "tp-link",
"versions": [
{
"status": "affected",
"version": "v1_150707"
}
]
},
{
"cpes": [
"cpe:2.3:h:tp-link:archer_c2:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "archer_c2",
"vendor": "tp-link",
"versions": [
{
"status": "affected",
"version": "v1_170228"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T18:32:54.899161Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T18:35:54.750Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TP-LINK Archer C50v2 Archer C50(US)_V2_160801, TP-LINK Archer C20v1 Archer_C20_V1_150707, and TP-LINK Archer C2v1 Archer_C2_US__V1_170228 were discovered to contain a buffer overflow which may lead to a Denial of Service (DoS) when parsing crafted data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-18T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://tplink.com"
},
{
"url": "https://www.tp-link.com/us/support/download/archer-c50/v2/#Firmware%29%2CTPLINK"
},
{
"url": "https://www.tp-link.com/us/support/download/archer-c2/v1/#Firmware"
},
{
"url": "https://www.tp-link.com/us/support/download/archer-c50/v2/#Firmware"
},
{
"url": "https://gist.github.com/a2ure123/a4eda2813d85d8b414bb87e855ab4bf8"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-30383",
"datePublished": "2023-07-18T00:00:00",
"dateReserved": "2023-04-07T00:00:00",
"dateUpdated": "2024-10-28T18:35:54.750Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-13267
Vulnerability from cvelistv5
Published
2019-08-27 17:05
Modified
2024-08-04 23:49
Severity ?
EPSS score ?
Summary
TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. In order to transfer data from the host network to the guest network, the sender joins and then leaves an IGMP group. After it leaves, the router (following the IGMP protocol) creates an IGMP Membership Query packet with the Group IP and sends it to both the Host and the Guest networks. The data is transferred within the Group IP field, which is completely controlled by the sender.
References
| ▼ | URL | Tags |
|---|---|---|
| https://orenlab.sise.bgu.ac.il/publications/CrossRouter | x_refsource_MISC | |
| https://www.usenix.org/system/files/woot19-paper_ovadia.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:49:24.291Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. In order to transfer data from the host network to the guest network, the sender joins and then leaves an IGMP group. After it leaves, the router (following the IGMP protocol) creates an IGMP Membership Query packet with the Group IP and sends it to both the Host and the Guest networks. The data is transferred within the Group IP field, which is completely controlled by the sender."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-27T17:05:39",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13267",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. In order to transfer data from the host network to the guest network, the sender joins and then leaves an IGMP group. After it leaves, the router (following the IGMP protocol) creates an IGMP Membership Query packet with the Group IP and sends it to both the Host and the Guest networks. The data is transferred within the Group IP field, which is completely controlled by the sender."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter",
"refsource": "MISC",
"url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
},
{
"name": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf",
"refsource": "MISC",
"url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13267",
"datePublished": "2019-08-27T17:05:39",
"dateReserved": "2019-07-04T00:00:00",
"dateUpdated": "2024-08-04T23:49:24.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-13268
Vulnerability from cvelistv5
Published
2019-08-27 17:05
Modified
2024-08-04 23:49
Severity ?
EPSS score ?
Summary
TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. They forward ARP requests, which are sent as broadcast packets, between the host and the guest networks. To use this leakage as a direct covert channel, the sender can trivially issue an ARP request to an arbitrary computer on the network. (In general, some routers restrict ARP forwarding only to requests destined for the network's subnet mask, but these routers did not restrict this traffic in any way. Depending on this factor, one must use either the lower 8 bits of the IP address, or the entire 32 bits, as the data payload.)
References
| ▼ | URL | Tags |
|---|---|---|
| https://orenlab.sise.bgu.ac.il/publications/CrossRouter | x_refsource_MISC | |
| https://www.usenix.org/system/files/woot19-paper_ovadia.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:49:24.300Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. They forward ARP requests, which are sent as broadcast packets, between the host and the guest networks. To use this leakage as a direct covert channel, the sender can trivially issue an ARP request to an arbitrary computer on the network. (In general, some routers restrict ARP forwarding only to requests destined for the network\u0027s subnet mask, but these routers did not restrict this traffic in any way. Depending on this factor, one must use either the lower 8 bits of the IP address, or the entire 32 bits, as the data payload.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-27T17:05:06",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13268",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. They forward ARP requests, which are sent as broadcast packets, between the host and the guest networks. To use this leakage as a direct covert channel, the sender can trivially issue an ARP request to an arbitrary computer on the network. (In general, some routers restrict ARP forwarding only to requests destined for the network\u0027s subnet mask, but these routers did not restrict this traffic in any way. Depending on this factor, one must use either the lower 8 bits of the IP address, or the entire 32 bits, as the data payload.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter",
"refsource": "MISC",
"url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
},
{
"name": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf",
"refsource": "MISC",
"url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13268",
"datePublished": "2019-08-27T17:05:06",
"dateReserved": "2019-07-04T00:00:00",
"dateUpdated": "2024-08-04T23:49:24.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2019-08-27 18:15
Modified
2024-11-21 04:24
Severity ?
Summary
TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. In order to transfer data from the host network to the guest network, the sender joins and then leaves an IGMP group. After it leaves, the router (following the IGMP protocol) creates an IGMP Membership Query packet with the Group IP and sends it to both the Host and the Guest networks. The data is transferred within the Group IP field, which is completely controlled by the sender.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://orenlab.sise.bgu.ac.il/publications/CrossRouter | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.usenix.org/system/files/woot19-paper_ovadia.pdf | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://orenlab.sise.bgu.ac.il/publications/CrossRouter | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.usenix.org/system/files/woot19-paper_ovadia.pdf | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tp-link | archer_c3200_v1_firmware | - | |
| tp-link | archer_c3200_v1 | - | |
| tp-link | archer_c2_v1_firmware | - | |
| tp-link | archer_c2_v1 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:tp-link:archer_c3200_v1_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C0252646-692B-488E-9A79-B698030DF7AC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:tp-link:archer_c3200_v1:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7E4EE5DB-AE33-4F3E-A211-179A524F4DEA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:tp-link:archer_c2_v1_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CECD65D5-4F10-422F-B71E-6494D56B80A2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:tp-link:archer_c2_v1:-:*:*:*:*:*:*:*",
"matchCriteriaId": "10AEB762-E804-46FF-B37D-5CC21A1EFEB7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. In order to transfer data from the host network to the guest network, the sender joins and then leaves an IGMP group. After it leaves, the router (following the IGMP protocol) creates an IGMP Membership Query packet with the Group IP and sends it to both the Host and the Guest networks. The data is transferred within the Group IP field, which is completely controlled by the sender."
},
{
"lang": "es",
"value": "Los dispositivos TP-Link Archer C3200 V1 y Archer C2 V1 tienen una compartimentaci\u00f3n insuficiente entre una red host y una red de invitados establecida por el mismo dispositivo. Para transferir los datos de la red del host a la red del invitado, el remitente se une y despu\u00e9s deja a un grupo IGMP. Despu\u00e9s de que salga, el router (siguiendo el protocolo IGMP) crea un paquete de la interrogaci\u00f3n de la membres\u00eda IGMP con el IP del grupo y lo env\u00eda al host y a las redes del invitado. Los datos se transfieren dentro del campo IP de grupo, que est\u00e1 completamente controlado por el remitente."
}
],
"id": "CVE-2019-13267",
"lastModified": "2024-11-21T04:24:35.053",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-27T18:15:10.887",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-27 18:15
Modified
2024-11-21 04:24
Severity ?
Summary
TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. They forward ARP requests, which are sent as broadcast packets, between the host and the guest networks. To use this leakage as a direct covert channel, the sender can trivially issue an ARP request to an arbitrary computer on the network. (In general, some routers restrict ARP forwarding only to requests destined for the network's subnet mask, but these routers did not restrict this traffic in any way. Depending on this factor, one must use either the lower 8 bits of the IP address, or the entire 32 bits, as the data payload.)
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://orenlab.sise.bgu.ac.il/publications/CrossRouter | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.usenix.org/system/files/woot19-paper_ovadia.pdf | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://orenlab.sise.bgu.ac.il/publications/CrossRouter | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.usenix.org/system/files/woot19-paper_ovadia.pdf | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tp-link | archer_c3200_v1_firmware | - | |
| tp-link | archer_c3200_v1 | - | |
| tp-link | archer_c2_v1_firmware | - | |
| tp-link | archer_c2_v1 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:tp-link:archer_c3200_v1_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C0252646-692B-488E-9A79-B698030DF7AC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:tp-link:archer_c3200_v1:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7E4EE5DB-AE33-4F3E-A211-179A524F4DEA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:tp-link:archer_c2_v1_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CECD65D5-4F10-422F-B71E-6494D56B80A2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:tp-link:archer_c2_v1:-:*:*:*:*:*:*:*",
"matchCriteriaId": "10AEB762-E804-46FF-B37D-5CC21A1EFEB7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. They forward ARP requests, which are sent as broadcast packets, between the host and the guest networks. To use this leakage as a direct covert channel, the sender can trivially issue an ARP request to an arbitrary computer on the network. (In general, some routers restrict ARP forwarding only to requests destined for the network\u0027s subnet mask, but these routers did not restrict this traffic in any way. Depending on this factor, one must use either the lower 8 bits of the IP address, or the entire 32 bits, as the data payload.)"
},
{
"lang": "es",
"value": "Los dispositivos TP-Link Archer C3200 V1 y Archer C2 V1 tienen una compartimentaci\u00f3n insuficiente entre una red host y una red de invitados establecida por el mismo dispositivo. Reenv\u00edan las peticiones ARP, que se env\u00edan como paquetes de broadcast, entre el host y las redes de invitados. Para utilizar esta fuga como un canal encubierto directo, el remitente puede emitir trivialmente una solicitud ARP a un equipo arbitrario de la red. (En general, algunos routers restringen el reenv\u00edo ARP solo a las solicitudes destinadas a la m\u00e1scara de subred de la red, pero estos enrutadores no restringieron este tr\u00e1fico de ninguna manera. Dependiendo de este factor, uno debe utilizar los 8 bits m\u00e1s bajos de la direcci\u00f3n IP, o los 32 bits enteros, como la carga \u00fatil de datos.)"
}
],
"id": "CVE-2019-13268",
"lastModified": "2024-11-21T04:24:35.190",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-27T18:15:10.950",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-27 18:15
Modified
2024-11-21 04:24
Severity ?
Summary
TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. A DHCP Request is sent to the router with a certain Transaction ID field. Following the DHCP protocol, the router responds with an ACK or NAK message. Studying the NAK case revealed that the router erroneously sends the NAK to both Host and Guest networks with the same Transaction ID as found in the DHCP Request. This allows encoding of data to be sent cross-router into the 32-bit Transaction ID field.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://orenlab.sise.bgu.ac.il/publications/CrossRouter | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.usenix.org/system/files/woot19-paper_ovadia.pdf | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://orenlab.sise.bgu.ac.il/publications/CrossRouter | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.usenix.org/system/files/woot19-paper_ovadia.pdf | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tp-link | archer_c3200_v1_firmware | - | |
| tp-link | archer_c3200_v1 | - | |
| tp-link | archer_c2_v1_firmware | - | |
| tp-link | archer_c2_v1 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:tp-link:archer_c3200_v1_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C0252646-692B-488E-9A79-B698030DF7AC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:tp-link:archer_c3200_v1:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7E4EE5DB-AE33-4F3E-A211-179A524F4DEA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:tp-link:archer_c2_v1_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CECD65D5-4F10-422F-B71E-6494D56B80A2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:tp-link:archer_c2_v1:-:*:*:*:*:*:*:*",
"matchCriteriaId": "10AEB762-E804-46FF-B37D-5CC21A1EFEB7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. A DHCP Request is sent to the router with a certain Transaction ID field. Following the DHCP protocol, the router responds with an ACK or NAK message. Studying the NAK case revealed that the router erroneously sends the NAK to both Host and Guest networks with the same Transaction ID as found in the DHCP Request. This allows encoding of data to be sent cross-router into the 32-bit Transaction ID field."
},
{
"lang": "es",
"value": "Los dispositivos TP-Link Archer C3200 V1 y Archer C2 V1 poseen una Compartimentaci\u00f3n Insuficiente entre una red host y una red invitada que es establecida por el mismo dispositivo. Una Petici\u00f3n DHCP se env\u00eda al router con un determinado campo Transaction ID. Siguiendo el protocolo DHCP, el router responde con un mensaje ACK o NAK. Estudiando el caso de NAK revel\u00f3 que el router env\u00eda err\u00f3neamente el NAK tanto a las redes Host como a las Invitadas con el mismo Transaction ID que se encuentra en la petici\u00f3n DHCP. Esto permite que la codificaci\u00f3n de datos se env\u00ede por medio del enrutador hacia el campo Transaction ID de 32 bits."
}
],
"id": "CVE-2019-13266",
"lastModified": "2024-11-21T04:24:34.910",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-27T18:15:10.827",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://orenlab.sise.bgu.ac.il/publications/CrossRouter"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.usenix.org/system/files/woot19-paper_ovadia.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-669"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-18 19:15
Modified
2024-11-21 08:00
Severity ?
Summary
TP-LINK Archer C50v2 Archer C50(US)_V2_160801, TP-LINK Archer C20v1 Archer_C20_V1_150707, and TP-LINK Archer C2v1 Archer_C2_US__V1_170228 were discovered to contain a buffer overflow which may lead to a Denial of Service (DoS) when parsing crafted data.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tp-link | archer_c2_v1_firmware | 170228 | |
| tp-link | archer_c2_v1 | - | |
| tp-link | archer_c20_firmware | 150707 | |
| tp-link | archer_c20 | 1 | |
| tp-link | archer_c50_firmware | 160801 | |
| tp-link | archer_c50 | 2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:tp-link:archer_c2_v1_firmware:170228:*:*:*:*:*:*:*",
"matchCriteriaId": "E67A17E5-2199-4FFC-A9ED-DA1694CAC531",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:tp-link:archer_c2_v1:-:*:*:*:*:*:*:*",
"matchCriteriaId": "10AEB762-E804-46FF-B37D-5CC21A1EFEB7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:tp-link:archer_c20_firmware:150707:*:*:*:*:*:*:*",
"matchCriteriaId": "7EBCD60C-2B46-4A7F-821A-2852267A0114",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:tp-link:archer_c20:1:*:*:*:*:*:*:*",
"matchCriteriaId": "9D159009-CF48-4631-9139-5AB553B58018",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:tp-link:archer_c50_firmware:160801:*:*:*:*:*:*:*",
"matchCriteriaId": "9DD711B4-011F-4576-97FA-20857549E6FD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:tp-link:archer_c50:2:*:*:*:*:*:*:*",
"matchCriteriaId": "FBAF991B-15EB-4858-B7A7-18FA24C180DC",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "TP-LINK Archer C50v2 Archer C50(US)_V2_160801, TP-LINK Archer C20v1 Archer_C20_V1_150707, and TP-LINK Archer C2v1 Archer_C2_US__V1_170228 were discovered to contain a buffer overflow which may lead to a Denial of Service (DoS) when parsing crafted data."
}
],
"id": "CVE-2023-30383",
"lastModified": "2024-11-21T08:00:07.040",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-18T19:15:09.643",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://tplink.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/a2ure123/a4eda2813d85d8b414bb87e855ab4bf8"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.tp-link.com/us/support/download/archer-c2/v1/#Firmware"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.tp-link.com/us/support/download/archer-c50/v2/#Firmware"
},
{
"source": "cve@mitre.org",
"url": "https://www.tp-link.com/us/support/download/archer-c50/v2/#Firmware%29%2CTPLINK"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://tplink.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/a2ure123/a4eda2813d85d8b414bb87e855ab4bf8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.tp-link.com/us/support/download/archer-c2/v1/#Firmware"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.tp-link.com/us/support/download/archer-c50/v2/#Firmware"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.tp-link.com/us/support/download/archer-c50/v2/#Firmware%29%2CTPLINK"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-120"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}