Vulnerability Name:

CVE-2017-16960 (CCN-135500)

Assigned:2017-11-27
Published:2017-11-27
Updated:2019-10-03
Summary:TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the t_bindif field of an admin/interface command to cgi-bin/luci, related to the get_device_byif function in /usr/lib/lua/luci/controller/admin/interface.lua in uhttpd.
CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
8.0 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
8.0 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-78
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2017-16960

Source: CCN
Type: TP-Link Web site
TP-Link Australia - WiFi Networking Equipment for Home & Business

Source: XF
Type: UNKNOWN
tplink-cve201716960-cmd-exec(135500)

Source: CCN
Type: TP-Link GIT Repository
Wireless-Router-Vulnerability/TplinkInterfaceAuthenticatedRCE.txt

Source: MISC
Type: Issue Tracking
https://github.com/coincoin7/Wireless-Router-Vulnerability/blob/master/TplinkInterfaceAuthenticatedRCE.txt

Vulnerable Configuration:Configuration 1:
  • cpe:/h:tp-link:tl-er5510g:v2:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-er5510g:v3:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-er5520g:v2:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-er5520g:v3:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-er6120g:v2:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-er6520g:v2:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-er6520g:v3:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-r4239g:v2:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-r4299g:v2:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-r473:v5:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-r478:v6:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-r478+:v7:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-r478g+:v3:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-r483:v5:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-r483g:v2:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-r488:v5:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-wvr300:v4:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-wvr302:v2:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-wvr450g:v5:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-wvr900g:v3:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:tp-link:tl-wvr450_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr450:-:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:tp-link:tl-wvr450l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr450l:-:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/o:tp-link:tl-wvr458_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr458:-:*:*:*:*:*:*:*

    • Configuration 5:
  • cpe:/o:tp-link:tl-wvr458l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr458l:-:*:*:*:*:*:*:*

    • Configuration 6:
  • cpe:/o:tp-link:tl-wvr458p_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr458p:*:*:*:*:*:*:*:*

    • Configuration 7:
  • cpe:/o:tp-link:tl-wvr900l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr900l:-:*:*:*:*:*:*:*

    • Configuration 8:
  • cpe:/o:tp-link:tl-wvr1200l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr1200l:-:*:*:*:*:*:*:*

    • Configuration 9:
  • cpe:/o:tp-link:tl-wvr1300l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr1300l:-:*:*:*:*:*:*:*

    • Configuration 10:
  • cpe:/o:tp-link:tl-wvr1300g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr1300g:-:*:*:*:*:*:*:*

    • Configuration 11:
  • cpe:/o:tp-link:tl-wvr1750l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr1750l:-:*:*:*:*:*:*:*

    • Configuration 12:
  • cpe:/o:tp-link:tl-wvr2600l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr2600l:-:*:*:*:*:*:*:*

    • Configuration 13:
  • cpe:/o:tp-link:tl-wvr4300l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-wvr4300l:-:*:*:*:*:*:*:*

    • Configuration 14:
  • cpe:/o:tp-link:tl-war302_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war302:-:*:*:*:*:*:*:*

    • Configuration 15:
  • cpe:/o:tp-link:tl-war450_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war450:-:*:*:*:*:*:*:*

    • Configuration 16:
  • cpe:/o:tp-link:tl-war450l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war450l:-:*:*:*:*:*:*:*

    • Configuration 17:
  • cpe:/o:tp-link:tl-war458_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war458:-:*:*:*:*:*:*:*

    • Configuration 18:
  • cpe:/o:tp-link:tl-war458l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war458l:-:*:*:*:*:*:*:*

    • Configuration 19:
  • cpe:/o:tp-link:tl-war900l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war900l:-:*:*:*:*:*:*:*

    • Configuration 20:
  • cpe:/o:tp-link:tl-war1200l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war1200l:-:*:*:*:*:*:*:*

    • Configuration 21:
  • cpe:/o:tp-link:tl-war1300l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war1300l:-:*:*:*:*:*:*:*

    • Configuration 22:
  • cpe:/o:tp-link:tl-war1750l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war1750l:-:*:*:*:*:*:*:*

    • Configuration 23:
  • cpe:/o:tp-link:tl-war2600l_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-war2600l:-:*:*:*:*:*:*:*

    • Configuration 24:
  • cpe:/o:tp-link:tl-er3210g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er3210g:-:*:*:*:*:*:*:*

    • Configuration 25:
  • cpe:/o:tp-link:tl-er3220g_firmware:*:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er3220g:-:*:*:*:*:*:*:*

    • Configuration 26:
  • cpe:/o:tp-link:tl-er5110g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er5110g:-:*:*:*:*:*:*:*

    • Configuration 27:
  • cpe:/o:tp-link:tl-er5120g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er5120g:-:*:*:*:*:*:*:*

    • Configuration 28:
  • cpe:/o:tp-link:tl-er6110g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er6110g:-:*:*:*:*:*:*:*

    • Configuration 29:
  • cpe:/o:tp-link:tl-er6220g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er6220g:-:*:*:*:*:*:*:*

    • Configuration 30:
  • cpe:/o:tp-link:tl-er6510g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er6510g:-:*:*:*:*:*:*:*

    • Configuration 31:
  • cpe:/o:tp-link:tl-er7520g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-er7520g:-:*:*:*:*:*:*:*

    • Configuration 32:
  • cpe:/o:tp-link:tl-r473g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r473g:-:*:*:*:*:*:*:*

    • Configuration 33:
  • cpe:/o:tp-link:tl-r473p-ac_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r473p-ac:-:*:*:*:*:*:*:*

    • Configuration 34:
  • cpe:/o:tp-link:tl-r473gp-ac_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r473gp-ac:-:*:*:*:*:*:*:*

    • Configuration 35:
  • cpe:/o:tp-link:tl-r478g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r478g:-:*:*:*:*:*:*:*

    • Configuration 36:
  • cpe:/o:tp-link:tl-r478g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r478g:-:*:*:*:*:*:*:*

    • Configuration 37:
  • cpe:/o:tp-link:tl-r479p-ac_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r479p-ac:-:*:*:*:*:*:*:*

    • Configuration 38:
  • cpe:/o:tp-link:tl-r479gp-ac_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r479gp-ac:-:*:*:*:*:*:*:*

    • Configuration 39:
  • cpe:/o:tp-link:tl-r479gpe-ac_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r479gpe-ac:-:*:*:*:*:*:*:*

    • Configuration 40:
  • cpe:/o:tp-link:tl-r4149g_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:tp-link:tl-r4149g:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/h:tp-link:tl-wvr300:-:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-wvr4300l:-:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-war302:-:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-war2600l:-:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-er3210g:-:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-er7520g:-:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-r473:-:*:*:*:*:*:*:*
  • OR cpe:/h:tp-link:tl-r4299g:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    tp-link tl-er5510g v2
    tp-link tl-er5510g v3
    tp-link tl-er5520g v2
    tp-link tl-er5520g v3
    tp-link tl-er6120g v2
    tp-link tl-er6520g v2
    tp-link tl-er6520g v3
    tp-link tl-r4239g v2
    tp-link tl-r4299g v2
    tp-link tl-r473 v5
    tp-link tl-r478 v6
    tp-link tl-r478+ v7
    tp-link tl-r478g+ v3
    tp-link tl-r483 v5
    tp-link tl-r483g v2
    tp-link tl-r488 v5
    tp-link tl-wvr300 v4
    tp-link tl-wvr302 v2
    tp-link tl-wvr450g v5
    tp-link tl-wvr900g v3
    tp-link tl-wvr450 firmware -
    tp-link tl-wvr450 -
    tp-link tl-wvr450l firmware -
    tp-link tl-wvr450l -
    tp-link tl-wvr458 firmware -
    tp-link tl-wvr458 -
    tp-link tl-wvr458l firmware -
    tp-link tl-wvr458l -
    tp-link tl-wvr458p firmware -
    tp-link tl-wvr458p *
    tp-link tl-wvr900l firmware -
    tp-link tl-wvr900l -
    tp-link tl-wvr1200l firmware -
    tp-link tl-wvr1200l -
    tp-link tl-wvr1300l firmware -
    tp-link tl-wvr1300l -
    tp-link tl-wvr1300g firmware -
    tp-link tl-wvr1300g -
    tp-link tl-wvr1750l firmware -
    tp-link tl-wvr1750l -
    tp-link tl-wvr2600l firmware -
    tp-link tl-wvr2600l -
    tp-link tl-wvr4300l firmware -
    tp-link tl-wvr4300l -
    tp-link tl-war302 firmware -
    tp-link tl-war302 -
    tp-link tl-war450 firmware -
    tp-link tl-war450 -
    tp-link tl-war450l firmware -
    tp-link tl-war450l -
    tp-link tl-war458 firmware -
    tp-link tl-war458 -
    tp-link tl-war458l firmware -
    tp-link tl-war458l -
    tp-link tl-war900l firmware -
    tp-link tl-war900l -
    tp-link tl-war1200l firmware -
    tp-link tl-war1200l -
    tp-link tl-war1300l firmware -
    tp-link tl-war1300l -
    tp-link tl-war1750l firmware -
    tp-link tl-war1750l -
    tp-link tl-war2600l firmware -
    tp-link tl-war2600l -
    tp-link tl-er3210g firmware -
    tp-link tl-er3210g -
    tp-link tl-er3220g firmware *
    tp-link tl-er3220g -
    tp-link tl-er5110g firmware -
    tp-link tl-er5110g -
    tp-link tl-er5120g firmware -
    tp-link tl-er5120g -
    tp-link tl-er6110g firmware -
    tp-link tl-er6110g -
    tp-link tl-er6220g firmware -
    tp-link tl-er6220g -
    tp-link tl-er6510g firmware -
    tp-link tl-er6510g -
    tp-link tl-er7520g firmware -
    tp-link tl-er7520g -
    tp-link tl-r473g firmware -
    tp-link tl-r473g -
    tp-link tl-r473p-ac firmware -
    tp-link tl-r473p-ac -
    tp-link tl-r473gp-ac firmware -
    tp-link tl-r473gp-ac -
    tp-link tl-r478g firmware -
    tp-link tl-r478g -
    tp-link tl-r478g firmware -
    tp-link tl-r478g -
    tp-link tl-r479p-ac firmware -
    tp-link tl-r479p-ac -
    tp-link tl-r479gp-ac firmware -
    tp-link tl-r479gp-ac -
    tp-link tl-r479gpe-ac firmware -
    tp-link tl-r479gpe-ac -
    tp-link tl-r4149g firmware -
    tp-link tl-r4149g -
    tp-link tl-wvr300 -
    tp-link tl-wvr4300l -
    tp-link tl-war302 -
    tp-link tl-war2600l -
    tp-link tl-er3210g -
    tp-link tl-er7520g -
    tp-link tl-r473 -
    tp-link tl-r4299g -