WARNING: ER605 Security Vulnerability..!

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

WARNING: ER605 Security Vulnerability..!

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
WARNING: ER605 Security Vulnerability..!
WARNING: ER605 Security Vulnerability..!
2021-09-14 13:18:30
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: 1.1.1 Build 20210723 Rel.64608

WARNING:

 

If you setup a second LAN (or more), and isolate it via ACL, then the router remains accessible on the new network(s)..!

I setup the Router address to 192.168.1.1/24 and created 2 additional networks (192.168.30.1/24 and 192.168.40.1/24) and updated the firewall to isolate these networks. Although clients on each network cannot access each other, they are always able to access the Router.  So, even though the router address is 192.168.1.1, it can also be accessed via the gateways at 192.168.30.1 and 192.168.40.1 (even at 192.168.1.1 on isolated subnets.!!!).

Now, even if the router is still password protected, it is clearly visible at an incorrect address and is open to hacking.  PLEASE bear this in mind when setting up any 'secure' networks.  This is clearly an invisible route, and obviously makes me wonder if there are any more.  I have not checked if any other ports are open on these false routes...

TP-Link inform me that it should be fixed in a November release, so be VERY careful in the meantime (keep your passwords VERY strong).

 

Shame on you TP-Link for such a schoolboy error in a 'Security' product, and for taking so long to fix it..!

Steve McDonald
  1      
  1      
#1
Options
8 Reply
Re:WARNING: ER605 Security Vulnerability..!
2021-09-14 20:45:45

@Steve_McD 

 

From my side works properly, you have to set the correct ACL.

How do you configure them? how is your network topology?

BR

  0  
  0  
#2
Options
Re:WARNING: ER605 Security Vulnerability..!
2021-09-14 22:04:31

@Emitplink 

 

Been through this with Agent on TP-Link chat.

 

My ACL rules are simple; just 'Block' LAN > LAN and choose Guest and main LAN.  Block in both directions.

I know the ACL is working because other clients cannot access each other (also verified they can when the ACL is 'Allow').

 

However, if I ping the gateway (automatically set to __.__.__.1/24), then it responds.  If I HTTP into the Gateway, I get the router login page.

I'm sorry, but if I block LAN > LAN, then this should not be possible.

 

It appears this is some issue with how the management LAN is handled.  Looks like ALL gateways point to the router.

Interestingly, even if I change the address of the router, the gateways still seem to point to it.

 

Please let me know if I'm missing something obvious, I'm just being led by the TP-Link folks...

 

Thanks,

Steve

Steve McDonald
  0  
  0  
#3
Options
Re:WARNING: ER605 Security Vulnerability..!
2021-09-14 22:19:35

@Emitplink 

 

Sorry, forgot to describe my topology...

 

I have a single PPoE WAN(vlan4094) and 3 LANs; LAN1(vlan1) @192.168.1.1/24 __ IoT(vlan30) @192.168.30.1/24 __ Guest(vlan40) @ 192.168.40.1/24

My ACL blocks ALL LAN > LAN between each of the 3 LANs, both directions.  This correctly blocks access from any LAN to clients on other LANs.

 

The router is @ 192.168.1.1.  If I connect to the Guest LAN, however, then I can ping 192.168.40.1.  Browsing this address gives me the router login.

I believe the router automatically assigns the gateway to the 192.168.40.1 address.  The same is true of the Iot LAN.

 

Looks like all gateways point to the router...

 

I asked if there was some way to prevent this, but was told I could not...  Hence the message to warn other users.

 

Let me know if you have any questions...

 

Regards,

Steve

Steve McDonald
  0  
  0  
#4
Options
Re:WARNING: ER605 Security Vulnerability..!
2021-09-15 06:22:49

@Steve_McD I also learned from TP-Link that they will fix this problem in November, and hope they can solve this problem as soon as possible. In addition, maybe you can consider modifying the router's management port instead of using port 80 and 443.

  0  
  0  
#5
Options
Re:WARNING: ER605 Security Vulnerability..!
2021-09-15 08:03:14

@Yannie 

 

Thanks for the port suggestion, TP-Link also suggested the same.

Does improve security slightly, but any competent hacker would just Nmap for open ports...

 

Much better to just fix the problem ASAP...

 

Regards,

Steve

Steve McDonald
  0  
  0  
#6
Options
Re:WARNING: ER605 Security Vulnerability..!
2021-09-15 13:16:38

@Steve_McD AAAARGH...!  If I HTTP into my PUBLIC WAN IP Address from any LAN, it also gives me the Router Login...

 

Now, I can confirm that if I HTTP into this address from the WAN side, I get nothing.

Can I be sure, however, that this is blocked by the ER605 and NOT by my ISP..?

 

Now, I know any unknown address should hit the gateway, then the routing table, but NOT the router management login...

Wow, just Wow..!

Steve McDonald
  0  
  0  
#7
Options
Re:WARNING: ER605 Security Vulnerability..!
2022-02-09 15:50:55

 

@Steve_McD 

Maybe anyone know, when the upgrade will be? This actualization is very necessary, because the problem is critical. 

 

  0  
  0  
#9
Options
Re:WARNING: ER605 Security Vulnerability..!
2022-02-12 11:32:08

 

Steve_McD wrote

@Steve_McD AAAARGH...!  If I HTTP into my PUBLIC WAN IP Address from any LAN, it also gives me the Router Login...

 

Now, I can confirm that if I HTTP into this address from the WAN side, I get nothing.

Can I be sure, however, that this is blocked by the ER605 and NOT by my ISP..?

 

Now, I know any unknown address should hit the gateway, then the routing table, but NOT the router management login...

Wow, just Wow..!

@Steve_McD 

 

The same here with ER7206 v1.0 Firmware 1.2.0 in Controller Mode.

If HTTP(S) with the Public WAN IP from LAN, the router login page is presented with additional Note: This Gateway is being managed by Omada Controller

For the moment we can deny access to the router WAN IP Address (Port) from LAN.

Profiles / Groups / IP-Port Group

Network Security / Switch ACL

 

  0  
  0  
#10
Options

Information

Helpful: 1

Views: 4556

Replies: 8

Related Articles