TP-Link Archer C50 router is vulnerable to configuration-file decryption

[Gandalf_The_Grey]

Content source

https://kb.cert.org/vuls/id/554637

The TP-Link Archer C50 router, which has reached End-of-Life (EOL), contains a hardcoded encryption key in its firmware, enabling decryption of sensitive configuration files. This vulnerability allows attackers to trivially access administrative credentials, Wi-Fi passwords, and other internal settings, after authentication to the device.

The CERT/CC is currently unaware of a practical solution to this problem. Note: The TP-Link Archer C50 has reached End-of-Life (EOL) and no longer receives firmware updates or security support from the vendor.

Users are strongly advised to:

• Retire and replace the Archer C50 with a supported router model
• Avoid using devices with known cryptographic flaws
• Secure or delete any exported configuration files
• Change passwords if configuration files were exposed or restored from backup

CERT/CC Vulnerability Note VU#554637

TP-Link Archer C50 router is vulnerable to configuration-file decryption

kb.cert.org

 

[Sorrento]

The C50 is still for sale though, at the moment due to me changing my ISP in March this year I ended up using the ISP router they supplied similar to the UK BT on at least until any early problems were sorted with a new fibre install with the intention of using a different router later, as its working fine & now well placed due to the WAN being Ethernet to the router n the middle of my house I don't need yet a MESH system, though I thought i would - The ISP router is not perfect but any vulnerabilities are usually sorted - A relative of mine is using the C50 mentioned in the article above so its only fair to sort that for him.

 

[SeriousHoax]

The C50 is still for sale though, at the moment due to me changing my ISP in March this year I ended up using the ISP router they supplied similar to the UK BT on at least until any early problems were sorted with a new fibre install with the intention of using a different router later, as its working fine & now well placed due to the WAN being Ethernet to the router n the middle of my house I don't need yet a MESH system, though I thought i would - The ISP router is not perfect but any vulnerabilities are usually sorted - A relative of mine is using the C50 mentioned in the article above so its only fair to sort that for him.

If TP-Link doesn't update the firmware, then maybe you can suggest your relative to flash OpenWRT firmware in his C50 if his version is supported which can be checked and downloaded from here.

[OpenWrt Wiki] Table of Hardware: Firmware downloads

openwrt.org

C50 is still quite popular in my region.

 

[Sorrento]

If TP-Link doesn't update the firmware, then maybe you can suggest your relative to flash OpenWRT firmware in his C50 if his version is supported which can be checked and downloaded from here.

[OpenWrt Wiki] Table of Hardware: Firmware downloads

openwrt.org

C50 is still quite popular in my region.

Thanks for that! I will look into it, the C50 he uses was actually for cameras & door bell etc as a separate system to run at 2.4 only but I will sort it as seeing him this week.

 

[stonjean633]

I analyzed this CVE and from my understanding, the risk here is more about the internal attackers and less of the external. The CVE says AFTER AUTHENTICATION TO THE DEVICE, meaning the attacker must be inside the LAN and have access to the admin page. He needs to crack the Wifi keys first, then another task is knowing the Username and Admin keys before being able to Authenticate to the Admin Login Page where he can access the Configuration File for backup/restore. Technically,if the attacker obtains access to the admin page, then no need to decrypt the config file as all info can be seen by the admin in the config page. SSH to the router requires the same WiFi/Admin keys.
In short, you need local access or physical access to the router.

Just ensure that the Remote Authentication/Remote Admin is disabled in the router as that will lessen the attack surface. And if possible, also apply Mac Filtering in the router for internal users.

Else try upgrading the router from AC TO AX or use OpenWRT if supported.

I will treat this as low risk unless my understanding is wrong....

 

[Trident]

Just ensure that the Remote Authentication/Remote Admin is disabled in the router as that will lessen the attack surface. And if possible, also apply Mac Filtering in the router for internal users.

I don’t think that this router supports any remote administration features anyway.

 

[stonjean633]

I don’t think that this router supports any remote administration features anyway.

Haven't use TPlink for years. I fell in love with AsusWRT since 2015 and always go for Asus models which has remote admin. Also love the Merlin version for added features so I go back and forth on flashing Stock and Merlin Firmware.

 

[stonjean633]

I believe Trident you are using Asus AX too right?

So this is for promotional purposes in case they want to retire the TPlink.
Go for Asus with Trend AI protection. Hehe

 

[Trident]

Haven't use TPlink for years. I fell in love with AsusWRT since 2015 and always go for Asus models which has remote admin. Also love the Merlin version for added features so I go back and forth on flashing Stock and Merlin Firmware.

The C50 is quite old wi-fi 5 router and it was also low end device. It doesn’t have these remote administration luxuries. You’ve understood correctly, authentication to device is required.

And yes, I am using the Asus RT-AXE7800 router with the TM Ai Protection. Blocks scam websites quite often (it’s not me opening them). I’ve also deployed Control D on this router.

 

[stonjean633]

I use Asus AX56U which is enough for my needs.

I forgot TPlink also has Trend Micro Homecare builtin with selected models only.
Another option is Netgear with BitDefender Armor but that requires annual subscription which is a No-No for me compared to Asus- in case users wanna upgrade.

 

[Trident]

I use Asus AX56U which is enough for my needs.

I forgot TPlink also has Trend Micro Homecare builtin with selected models only.
Another option is Netgear with BitDefender Armor but that requires annual subscription which is a No-No for me compared to Asus- in case users wanna upgrade.

Acer routers as well offer Trend Micro lifetime protection. TP-link charges monthly now for all features, except the web filtering.

 

[stonjean633]

I didn't notice that Acer got TM too, you're right!

It's a good business move to partner with those Chinese/Taiwanese Brand as the Trend owners are really from Taiwan.
By having security at the gateway, the more data and threat intel Trend analyzes that powers the SPN (Smart Protection Network)