TP-Link Archer C20 V6.0 and AX53 V1.0 TDDP Authentication Bypass Vulnerability Allowing Unauthenticated Administrative Command Execution

A logic vulnerability has been identified in the TP-Link Archer C20 V6.0 and Archer AX53 V1.0 routers, specifically within the TP-Link Device Debug Protocol (TDDP) module. This vulnerability allows unauthenticated adjacent attackers to execute administrative commands, such as factory resets and device reboots, without the need for credentials. The issue arises from an implementation flaw in the TDDP service, which is enabled by default on these devices. Attackers on the adjacent network can exploit this vulnerability to cause configuration loss and disrupt device availability.

Impact

Exploitation of this vulnerability allows for unauthorized execution of administrative commands, including factory resets and reboots, on the affected devices. This could lead to a complete loss of configuration and availability.

Reproduction

The vulnerability can be reproduced by sending a specially crafted TDDP packet with a 'pktLength' value of 0. This bypasses the DES encryption that is normally required for authentication. After the packet is received, the TDDP command handlers interpret the data as valid commands. By placing specific bytes at the correct offsets in the packet, it is possible to trigger administrative functions such as resetting the device or rebooting it.

Remediation

TP-Link has released firmware updates to address this vulnerability. Users of the Archer C20 V6.0 should update to version V6_241231, and users of the Archer AX53 V1.0 should update to version 1.2.2 Build 20230627. After updating, verify that TDDP is no longer active and block UDP port 1040 at the network level.