| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5d137612f25140053a263e34eb757078@riseup.net>
Date: Tue, 30 Sep 2014 14:59:27 -0400
From: kvnjs <kvnjs@...eup.net>
To: fulldisclosure@...lists.org
Subject: [FD] Multiple product vulnerabilities: all TP-Link "2-series"
switches, all TP-Link VxWorks-based product
Vendor affected: TP-Link (http://tp-link.com)
Products affected:
* All TP-Link VxWorks-based devices (confirmed by vendor)
* All "2-series" switches (confirmed by vendor)
* TL-SG2008 semi-managed switch (confirmed by vendor)
* TL-SG2216 semi-managed switch (confirmed by vendor)
* TL-SG2424 semi-managed switch (confirmed by vendor)
* TL-SG2424P semi-managed switch (confirmed by vendor)
* TL-SG2452 semi-managed switch (confirmed by vendor)
Vulnerabilities:
* All previously-reported VxWorks vulnerabilities from 6.6.0 on;
at the very least:
* CVE-2013-0716 (confirmed by vendor)
* CVE-2013-0715 (confirmed by vendor)
* CVE-2013-0714 (confirmed by vendor)
* CVE-2013-0713 (confirmed by vendor)
* CVE-2013-0712 (confirmed by vendor)
* CVE-2013-0711 (confirmed by vendor)
* CVE-2010-2967 (confirmed by vendor)
* CVE-2010-2966 (confirmed by vendor)
* CVE-2008-2476 (confirmed by vendor)
* SSLv2 is available and cannot be disabled unless HTTPS is
completely disabled (allows downgrade attacks)
(confirmed by vendor)
* SSL (v2, v3) offers insecure cipher suites and HMACs which cannot
be disabled (allows downgrade attacks)
(confirmed by vendor)
Design flaws:
* Telnet is available and cannot be disabled (confirmed by vendor)
* SSHv1 enabled by default if SSH is enabled (confirmed by vendor)
Vendor response:
TP-Link are not convinced that these flaws should be repaired.
TP-Link's Internet presence -- or at least DNS -- is available only
intermittently. Most emails bounced. Lost contact with vendor, but
did confirm that development lead is now on holiday and will not
return for at least a week.
Initial vendor reaction was to recommend purchase of "3-series"
switches. Vendor did not offer reasons why "3-series" switches would
be more secure, apart from lack of telnet service. Vendor confirmed
that no development time can be allocated to securing "2-series"
product and all focus has shifted to newer products.
(TL-SG2008 first product availability July 2014...)
Vendor deeply confused about security of DES/3DES, MD5, claimed that
all security is relative. ("...[E]ven SHA-1 can be cracked, they just
have different security level.")
Fix availability:
None.
Work-arounds advised:
None possible. Remove products from network.
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists