lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 30 Sep 2014 14:59:27 -0400
From: kvnjs <kvnjs@...eup.net>
To: fulldisclosure@...lists.org
Subject: [FD] Multiple product vulnerabilities: all TP-Link "2-series"
 switches, all TP-Link VxWorks-based product

Vendor affected: TP-Link (http://tp-link.com)

Products affected:
   * All TP-Link VxWorks-based devices (confirmed by vendor)
   * All "2-series" switches (confirmed by vendor)
   * TL-SG2008 semi-managed switch (confirmed by vendor)
   * TL-SG2216 semi-managed switch (confirmed by vendor)
   * TL-SG2424 semi-managed switch (confirmed by vendor)
   * TL-SG2424P semi-managed switch (confirmed by vendor)
   * TL-SG2452 semi-managed switch (confirmed by vendor)

Vulnerabilities:
   * All previously-reported VxWorks vulnerabilities from 6.6.0 on;
     at the very least:
     * CVE-2013-0716 (confirmed by vendor)
     * CVE-2013-0715 (confirmed by vendor)
     * CVE-2013-0714 (confirmed by vendor)
     * CVE-2013-0713 (confirmed by vendor)
     * CVE-2013-0712 (confirmed by vendor)
     * CVE-2013-0711 (confirmed by vendor)
     * CVE-2010-2967 (confirmed by vendor)
     * CVE-2010-2966 (confirmed by vendor)
     * CVE-2008-2476 (confirmed by vendor)
   * SSLv2 is available and cannot be disabled unless HTTPS is
     completely disabled (allows downgrade attacks)
     (confirmed by vendor)
   * SSL (v2, v3) offers insecure cipher suites and HMACs which cannot
     be disabled (allows downgrade attacks)
     (confirmed by vendor)

Design flaws:
   * Telnet is available and cannot be disabled (confirmed by vendor)
   * SSHv1 enabled by default if SSH is enabled (confirmed by vendor)

Vendor response:
   TP-Link are not convinced that these flaws should be repaired.

   TP-Link's Internet presence -- or at least DNS -- is available only
   intermittently. Most emails bounced. Lost contact with vendor, but
   did confirm that development lead is now on holiday and will not
   return for at least a week.

   Initial vendor reaction was to recommend purchase of "3-series"
   switches. Vendor did not offer reasons why "3-series" switches would
   be more secure, apart from lack of telnet service. Vendor confirmed
   that no development time can be allocated to securing "2-series"
   product and all focus has shifted to newer products.

   (TL-SG2008 first product availability July 2014...)

   Vendor deeply confused about security of DES/3DES, MD5, claimed that
   all security is relative. ("...[E]ven SHA-1 can be cracked, they just
   have different security level.")

Fix availability:
   None.

Work-arounds advised:
   None possible. Remove products from network.


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists