TP-Link WAN-Side Vulnerability Exploited to Install Mirai Malware

Mirai botnet exploits CVE-2023-1389 to add TP-Link Archer A21 (AX1800) routers to DDoS attacks. During the Pwn2Own Toronto event in December 2022, two hacking teams exploited the vulnerability in different ways via:-

• LAN interfaces
• WAN interfaces

In January 2023, the flaw was unveiled to TP-Link, and just after the report, TP-Link released a new firmware update with the fix last month.

Mirai botnet has updated its toolkit to include CVE-2023-1389, as observed by the ZDI threat-hunting team detecting new exploit attempts in Eastern Europe via their telemetry system.

Flaw Profile

• CVE ID: CVE-2023-1389 (ZDI-CAN-19557/ZDI-23-451)
• Falw Description: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer AX21 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the merge_country_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute arbitrary code in the root context.
• CVSS Score: 8.8
• Affected Vendor: TP-Link
• Affected Product: Archer AX21
• Disclosure Timeline:-

• 2023-01-25 – Vulnerability reported to the vendor
• 2023-04-24 – Coordinated public release of advisory

This vulnerability is an unauthenticated command injection vulnerability, and it has been identified in the web management interface’s locale API.

Successful exploitation of this flaw enables users to specify the form they want to call via the query string form and an operation, which is typical:-

• read

or

• write

Cyber attackers can exploit the flaw by incorporating a command payload as part of the country parameter and subsequently initiating a second request to activate the command. 

On April 11, 2023, the initial indications of in-the-wild exploitation surfaced, and since then, malicious activity has been identified globally.

Mirai malware botnet now uses the vulnerability to compromise the devices, and then subsequently, it procures the device into its botnet by downloading the suitable binary payload for the router’s architecture.

The current version of Mirai concentrates on DDoS attacks, particularly on game servers. It can target Valve Source Engine (VSE) and possesses features that reflect this focus.

This new malware version can replicate authentic network traffic, making it challenging for DDoS mitigation solutions to detect malicious traffic.

For identification or detection, here below, we have mentioned the common signs of an infected TP-Link router:-

• Overheating
• Internet disconnections
• On the device’s network settings, uncertain changes
• Unwanted resetting of admin user passwords

Patch

On February 24, 2023, TP-Link took steps to address the issue at hand. Unfortunately, the company’s solution was inadequate and failed to prevent further exploitation.

But, on March 14, 2023, the company released a firmware update with the patch to fix CVE-2023-1389, and here below, we have mentioned the updated version:-

• 1.1.4 Build 20230219

If you are a user of the Archer AX21 AX1800 dual-band WiFi 6 router, then can download the latest firmware update from their official update page.

Building Your Malware Defense Strategy – Download Free E-Book