back to article From directory traversal to direct travesty: Crash, hijack, siphon off this TP-Link VPN box via classic exploitable bugs

Bug-hunters have this week disclosed details of four security vulnerabilities in a family of TP-Link 1GbE VPN routers. The flaws were found by Jared Rittle and Carl Hurd of Cisco's Talos Intelligence, and all four are classic security goofs. They are as follows: one denial-of-service weakness, and one file-leaking hole, each …

  1. Anonymous Coward
    Anonymous Coward

    TP-Link

    TP-Link is at the cheapest tier and their CVE history is surely not a source of pride.

    Why would anyone lay any sort of network security on the shoulders of these products?

    1. ThatOne Silver badge

      Re: TP-Link

      Because there is a vast amount of people who know just enough about networking to get themselves in trouble... I know, I'm one of them. ;o)

      And obviously the kind of device they will buy for their home Internet connection depends solely on the size of hole it will burn in their wallet, this being the only difference they can see. Where on earth could they check who among the heap of similar devices from TP-Link, D-Link, Netgear, Linksys (etc.) is better (or less worse) than the others? Buying Cisco is not an option for people with average (or under-average) incomes + a family.

      1. ElReg!comments!Pierre Silver badge

        Re: TP-Link

        Well, if you're so inclined you could look up the list of cheap routers supported by openWRT, and set up your own security rules. Sensible guidelines are available, meaning that depending on tour knowledge you may learn a thing or two along the way, and if you do mess up, you'll know who to blame!

        1. Norman Nescio Silver badge

          Re: TP-Link

          Well, if you're so inclined you could look up the list of cheap routers supported by openWRT, and set up your own security rules. Sensible guidelines are available...

          I'll reply, with a Laconic "If...". You were right to write "If...", as most people not seriously interested in networking are not so inclined, and the botnet herders rely on the stupid, the ignorant, the lazy, and the arrogant people who don't want to spend the time and trouble to learn how to do things well, or pay someone to do it well for them.

          And while I am a great fan of OpenWrt, it is not a universal panacea. While it is very good, the kernel has got so big now, the volunteers who produce and support it have trouble in keeping the firmware image small enough to fit into the lowest capability platforms currently supported. The next image is likely to drop support for a lot of the older and/or smaller devices, and there is discussion and special pleading on the developers mailing list regarding this issue.

          I can see legislation and regulatory bodies to enforce the legislation being set up in the future to enforce information security - this may not be the boon FLOSS enthusiasts expect, as it could turn out that only the largest companies will be able to afford to have software certified to meet any regulations. I expect some serious lobbying will be needed to get carve-outs for FLOSS enthusiasts' use of software. I would not be surprised to see a situation like Part 'P' for domestic electrical work, where security is not materially improved, but 'competent companies' get a licence to print money. I'll answer to being called cynical.

          1. ElReg!comments!Pierre Silver badge
            Joke

            Re: TP-Link

            While you raise interesting points, that "If" of yours will not answer to being called laconic.

    2. Crazy Operations Guy Silver badge

      Re: TP-Link

      Penny-pinching managers, small businesses with almost no budget, schools ad other public institutions, and so on.

      I've had a bunch of clients where the manager went out to BestBuy and bought whatever the sales guy said would work then stuck it in the network, then refused to replace it since "It works well enough".

  2. Norman Nescio Silver badge

    Laconic if...

    I was tempted to answer simply:

    If...

    But thought it might be a little less cryptic, and little more helpful, if I expanded for clarification.

    I have upvoted you for being correct.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019