CVE-2024-5035 - OpenCVE

The affected device expose a network service called "rftest" that is vulnerable to unauthenticated command injection on ports TCP/8888, TCP/8889, and TCP/8890. By successfully exploiting this flaw, remote unauthenticated attacker can gain arbitrary command execution on the device with elevated privileges.This issue affects Archer C4500X: through 1_1.1.6.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact None

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://onekey.com/blog/security-advisory-remote-command-execution-on-tp-link-archer-c5400x/
https://www.tp-link.com/en/support/download/archer-c5400x/#Firmware

History

No history.

MITRE

Status: PUBLISHED

Assigner: ONEKEY

Published: 2024-05-27T07:22:59.959Z

Updated: 2024-08-01T21:03:10.451Z

Reserved: 2024-05-16T21:01:26.696Z

Link: CVE-2024-5035

Vulnrichment

Updated: 2024-08-01T21:03:10.451Z

NVD

Status : Awaiting Analysis

Published: 2024-05-27T08:15:09.490

Modified: 2024-05-29T05:16:08.793

Link: CVE-2024-5035

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5035", "assignerOrgId": "2d533b80-6e4a-4e20-93e2-171235122846", "state": "PUBLISHED", "assignerShortName": "ONEKEY", "dateReserved": "2024-05-16T21:01:26.696Z", "datePublished": "2024-05-27T07:22:59.959Z", "dateUpdated": "2024-08-01T21:03:10.451Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["rftest"], "product": "Archer C4500X", "vendor": "TP-Link", "versions": [{"lessThanOrEqual": "1_1.1.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "According to TP-Link, the rftest binary is only started in manufacturing mode."}], "value": "According to TP-Link, the rftest binary is only started in manufacturing mode."}], "credits": [{"lang": "en", "type": "finder", "value": "Quentin Kaiser from ONEKEY Research Labs"}], "datePublic": "2024-05-26T23:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The affected device expose a network service called \"rftest\" that is vulnerable to unauthenticated command injection on ports TCP/8888, TCP/8889, and TCP/8890. By successfully exploiting this flaw, remote unauthenticated attacker can gain arbitrary command execution on the device with elevated privileges.<p>This issue affects Archer C4500X: through 1_1.1.6.</p>"}], "value": "The affected device expose a network service called \"rftest\" that is vulnerable to unauthenticated command injection on ports TCP/8888, TCP/8889, and TCP/8890.\u00a0By successfully exploiting this flaw, remote unauthenticated attacker can gain arbitrary command execution on the device with\u00a0elevated privileges.This issue affects Archer C4500X: through 1_1.1.6."}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "baseScore": 8.8, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2d533b80-6e4a-4e20-93e2-171235122846", "shortName": "ONEKEY", "dateUpdated": "2024-05-29T04:37:28.917Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://onekey.com/blog/security-advisory-remote-command-execution-on-tp-link-archer-c5400x/"}, {"tags": ["vendor-advisory", "release-notes"], "url": "https://www.tp-link.com/en/support/download/archer-c5400x/#Firmware"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to firmware version 1_1.1.7."}], "value": "Upgrade to firmware version 1_1.1.7."}], "source": {"discovery": "UNKNOWN"}, "title": "TP-Link Archer C5400X - RFTest Unauthenticated Command Injection", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Limit exposure of ports TCP/8888, TCP/8889, and TCP/9000 works as an interim fix."}], "value": "Limit exposure of ports TCP/8888, TCP/8889, and TCP/9000 works as an interim fix."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5035", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-31T14:20:29.272074Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:tp-link:archer_c4500_firmware:*:*:*:*:*:*:*:*"], "vendor": "tp-link", "product": "archer_c4500_firmware", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": " 1_1.1.6"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:01:50.159Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:03:10.451Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_transferred"], "url": "https://onekey.com/blog/security-advisory-remote-command-execution-on-tp-link-archer-c5400x/"}, {"tags": ["vendor-advisory", "release-notes", "x_transferred"], "url": "https://www.tp-link.com/en/support/download/archer-c5400x/#Firmware"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://onekey.com/blog/security-advisory-remote-command-execution-on-tp-link-archer-c5400x/", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://www.tp-link.com/en/support/download/archer-c5400x/#Firmware", "tags": ["vendor-advisory", "release-notes", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:03:10.451Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5035", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-31T14:20:29.272074Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:tp-link:archer_c4500_firmware:*:*:*:*:*:*:*:*"], "vendor": "tp-link", "product": "archer_c4500_firmware", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": " 1_1.1.6"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-28T11:41:04.644Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "TP-Link Archer C5400X - RFTest Unauthenticated Command Injection", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Quentin Kaiser from ONEKEY Research Labs"}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:H", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "TP-Link", "modules": ["rftest"], "product": "Archer C4500X", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1_1.1.6"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to firmware version 1_1.1.7.", "supportingMedia": [{"type": "text/html", "value": "Upgrade to firmware version 1_1.1.7.", "base64": false}]}], "datePublic": "2024-05-26T23:00:00.000Z", "references": [{"url": "https://onekey.com/blog/security-advisory-remote-command-execution-on-tp-link-archer-c5400x/", "tags": ["third-party-advisory"]}, {"url": "https://www.tp-link.com/en/support/download/archer-c5400x/#Firmware", "tags": ["vendor-advisory", "release-notes"]}], "workarounds": [{"lang": "en", "value": "Limit exposure of ports TCP/8888, TCP/8889, and TCP/9000 works as an interim fix.", "supportingMedia": [{"type": "text/html", "value": "Limit exposure of ports TCP/8888, TCP/8889, and TCP/9000 works as an interim fix.", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The affected device expose a network service called \"rftest\" that is vulnerable to unauthenticated command injection on ports TCP/8888, TCP/8889, and TCP/8890.\u00a0By successfully exploiting this flaw, remote unauthenticated attacker can gain arbitrary command execution on the device with\u00a0elevated privileges.This issue affects Archer C4500X: through 1_1.1.6.", "supportingMedia": [{"type": "text/html", "value": "The affected device expose a network service called \"rftest\" that is vulnerable to unauthenticated command injection on ports TCP/8888, TCP/8889, and TCP/8890. By successfully exploiting this flaw, remote unauthenticated attacker can gain arbitrary command execution on the device with elevated privileges.<p>This issue affects Archer C4500X: through 1_1.1.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "configurations": [{"lang": "en", "value": "According to TP-Link, the rftest binary is only started in manufacturing mode.", "supportingMedia": [{"type": "text/html", "value": "According to TP-Link, the rftest binary is only started in manufacturing mode.", "base64": false}]}], "providerMetadata": {"orgId": "2d533b80-6e4a-4e20-93e2-171235122846", "shortName": "ONEKEY", "dateUpdated": "2024-05-29T04:37:28.917Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5035", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:03:10.451Z", "dateReserved": "2024-05-16T21:01:26.696Z", "assignerOrgId": "2d533b80-6e4a-4e20-93e2-171235122846", "datePublished": "2024-05-27T07:22:59.959Z", "assignerShortName": "ONEKEY"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The affected device expose a network service called \"rftest\" that is vulnerable to unauthenticated command injection on ports TCP/8888, TCP/8889, and TCP/8890.\u00a0By successfully exploiting this flaw, remote unauthenticated attacker can gain arbitrary command execution on the device with\u00a0elevated privileges.This issue affects Archer C4500X: through 1_1.1.6."}, {"lang": "es", "value": "El dispositivo afectado expone un servicio de red llamado \"rftest\" que es vulnerable a la inyecci\u00f3n de comandos no autenticados en los puertos TCP/8888, TCP/8889 y TCP/8890. Al explotar con \u00e9xito esta falla, un atacante remoto no autenticado puede obtener la ejecuci\u00f3n de comandos arbitrarios en el dispositivo con privilegios elevados. Este problema afecta a Archer C4500X: hasta 1_1.1.6."}], "id": "CVE-2024-5035", "lastModified": "2024-05-29T05:16:08.793", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "LOW", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "research@onekey.com", "type": "Secondary"}]}, "published": "2024-05-27T08:15:09.490", "references": [{"source": "research@onekey.com", "url": "https://onekey.com/blog/security-advisory-remote-command-execution-on-tp-link-archer-c5400x/"}, {"source": "research@onekey.com", "url": "https://www.tp-link.com/en/support/download/archer-c5400x/#Firmware"}], "sourceIdentifier": "research@onekey.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "research@onekey.com", "type": "Secondary"}]}