CVE-2023-36359
📋 TL;DR
A buffer overflow vulnerability in TP-Link wireless routers allows attackers to cause Denial of Service (DoS) via crafted GET requests to the /userRpm/QoSRuleListRpm component. This affects multiple TP-Link router models including TL-WR940N, TL-WR841N, and TL-WR941ND in specific versions. Attackers can crash the router, disrupting network connectivity.
💻 Affected Systems
- TP-Link TL-WR940N
- TP-Link TL-WR841N
- TP-Link TL-WR941ND
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Router becomes completely unresponsive, requiring physical reset and causing extended network downtime. Potential for remote code execution if buffer overflow can be controlled.
Likely Case
Router crashes and reboots, causing temporary network disruption (1-3 minutes). Repeated attacks could create persistent DoS.
If Mitigated
Minimal impact with proper network segmentation and access controls limiting exposure.
🎯 Exploit Status
Exploit requires authentication to router web interface. Public proof-of-concept demonstrates DoS via buffer overflow.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: Yes
Instructions:
1. Check TP-Link support site for firmware updates
2. Download appropriate firmware for your model
3. Access router web interface
4. Navigate to System Tools > Firmware Upgrade
5. Upload firmware file
6. Wait for router to reboot
🔧 Temporary Workarounds
Disable Remote Management
allPrevent external access to router web interface
Access router web interface > Security > Remote Management > Disable
Change Default Credentials
allUse strong, unique credentials to prevent authentication
Access router web interface > System Tools > Password > Set strong password
🧯 If You Can't Patch
- Segment affected routers to isolated network segments
- Implement network ACLs to restrict access to router management interface
🔍 How to Verify
Check if Vulnerable:
Check router model and version in web interface > Status page. Compare with affected versions list.Check Version:
Access router web interface > Status > Firmware VersionVerify Fix Applied:
Verify firmware version after update matches latest available from TP-Link.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts
- Router reboot logs
- Unusual GET requests to /userRpm/QoSRuleListRpm
Network Indicators:
- Router becoming unresponsive
- Network connectivity loss
- Unusual traffic to router management port (typically 80/443)
SIEM Query:
source="router_logs" AND (uri="/userRpm/QoSRuleListRpm" OR event="reboot")🔗 References
- https://github.com/a101e-IoTvul/iotvul/blob/main/tp-link/8/TP-Link%20TL-WR940N%20TL-WR841N%20TL-WR941ND%20wireless%20router%20userRpmQoSRuleListRpm%20buffer%20read%20out-of-bounds%20vulnerability.md
- https://github.com/a101e-IoTvul/iotvul/blob/main/tp-link/8/TP-Link%20TL-WR940N%20TL-WR841N%20TL-WR941ND%20wireless%20router%20userRpmQoSRuleListRpm%20buffer%20read%20out-of-bounds%20vulnerability.md
- https://github.com/a101e-IoTvul/iotvul/blob/main/tp-link/8/TP-Link%20TL-WR940N%20TL-WR841N%20TL-WR941ND%20wireless%20router%20userRpmQoSRuleListRpm%20buffer%20read%20out-of-bounds%20vulnerability.md
