Published: 04/05/2020 Updated: 12/05/2020

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 540

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Certain TP-Link devices have a Hardcoded Encryption Key. This affects NC200 2.1.9 build 200225, N210 1.0.9 build 200304, NC220 1.3.0 build 200304, NC230 1.3.0 build 200304, NC250 1.3.0 build 200304, NC260 1.5.2 build 200304, and NC450 1.5.3 build 200304.

Vulnerable Product	Search on Vulmon	Subscribe to Product
tp-link nc200_firmware 2.1.6
tp-link nc200_firmware 2.1.9
tp-link nc210_firmware 1.0.3
tp-link nc210_firmware 1.0.4
tp-link nc210_firmware 1.0.9
tp-link nc220_firmware 1.2.0
tp-link nc220_firmware 1.3.0
tp-link nc230_firmware 1.0.3
tp-link nc230_firmware 1.2.1
tp-link nc230_firmware 1.3.0
tp-link nc250_firmware 1.0.8
tp-link nc250_firmware 1.0.10
tp-link nc250_firmware 1.2.1
tp-link nc250_firmware 1.3.0
tp-link nc260_firmware 1.0.5
tp-link nc260_firmware 1.0.6
tp-link nc260_firmware 1.4.1
tp-link nc260_firmware 1.5.0
tp-link nc260_firmware 1.5.2
tp-link nc450_firmware 1.0.15
tp-link nc450_firmware 1.1.2
tp-link nc450_firmware 1.3.4
tp-link nc450_firmware 1.5.3

TP-LINK Cloud Cameras including products NC200, NC210, NC220, NC230, NC250, NC260, and NC450 suffer from having a hardcoded encryption key The issue is located in the methods swSystemBackup and symswSystemRestoreFile, where a hardcoded encryption key is used in order to encrypt/decrypt a config backup file The algorithm in use is DES ECB with mo ...

TP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230, NC250, NC260, NC450) are vulnerable to an authenticated command injection vulnerability In all devices except NC210, despite a check on the name length in swSystemSetProductAliasCheck, no other checks are in place in order to prevent shell metacharacters from being introduced The sys ...

TP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230, NC250, NC260, NC450) are vulnerable to an authenticated command injection In all devices except NC210, despite a check on the name length in swSystemSetProductAliasCheck, no other checks are in place in order to prevent shell metacharacters from ...

TP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230, NC250, NC260, NC450) are vulnerable to an authenticated command injection. In all devices except NC210, despite a check on the name length in swSystemSetProductAliasCheck, no other checks are in place in order to prevent shell metacharacters from being introduced. The system name would then be used in swBonjourStartHTTP as part of a shell command where arbitrary commands could be injected and executed as root. NC210 devices cannot be exploited directly via /setsysname.cgi due to proper input validation. NC210 devices are still vulnerable since swBonjourStartHTTP did not perform any validation when reading the alias name from the configuration file. The configuration file can be written, and code execution can be achieved by combining this issue with CVE-2020-12110.

msf > use exploit/linux/http/tp_link_ncxxx_bonjour_command_injection
msf exploit(tp_link_ncxxx_bonjour_command_injection) > show targets
    ...targets...
msf exploit(tp_link_ncxxx_bonjour_command_injection) > set TARGET < target-id >
msf exploit(tp_link_ncxxx_bonjour_command_injection) > show options
    ...show and set options...
msf exploit(tp_link_ncxxx_bonjour_command_injection) > exploit

CWE-798 https://seclists.org/fulldisclosure/2020/May/3 http://packetstormsecurity.com/files/157532/TP-LINK-Cloud-Cameras-NCXXX-Hardcoded-Encryption-Key.html https://nvd.nist.gov https://packetstormsecurity.com/files/157532/TP-LINK-Cloud-Cameras-NCXXX-Hardcoded-Encryption-Key.html https://www.rapid7.com/db/modules/exploit/linux/http/tp_link_ncxxx_bonjour_command_injection/

CVE-2020-12110

Vulnerability Summary

Vulnerability Trend

Exploits

Metasploit Modules

References

Vulmon Search

About

Products

Connect