A security researcher released details on a new zero-day vulnerability that impacts the TP-Link All-in-One SR20 Smart Home Router and Hub.
The researcher, Matthew Garrett of Google, found the vulnerability and released the details via Twitter after he said TP-Link failed to fix the bug within 90 days:
“It’s been over 90 days since I reported it and @TPLINK never responded, so: arbitrary command execution on the TP-Link SR20 smart hub and router (and possibly other TP-Link device).”
Garrett also provided more details on the vulnerability in a blog titled “Remote code execution as root from the local network on TP-Link SR20 routers.”
One key takeaway from the report was TP-Link included a debug daemon Tddp (TP-Link Device Debug Protocol) in the production firmware. Debug apps/protocols should not typically run on production devices as they can be exploited by remote attackers.
Version 1 of Tddp also has well known vulnerabilities, to include no authentication required. Version 2 requires knowledge of the router admin password to exploit.
Garrett also reported his findings to TP-Link back in December via its security disclosure form. After receiving no response from TP-Link, he subsequently publicly disclosed the vulnerability details this week.