TL-WR940N uses weak MD5 hashing algorithm

midist0xf
Dec 31, 2022

--

Description
TP-Link router TL-WR940N V6 3.19.1 Build 180119 uses deprecated MD5 algorithm to hash the admin’s password used for the Basic Authentication.

Impact
Since by default Basic Authentication over HTTP protocol is used, an attacker which intercepts one authenticated request can easily crack the admin’s password hash and retrieve the plaintext password.

Remediation
Update the firmware to version TL-WR940N(EU)_V6_3.20.1 Build 220801 (https://www.tp-link.com/en/support/download/tl-wr940n/#Firmware)

CWE
CWE-327 Use of a Broken or Risky Cryptographic Algorithm

OWASP
WSTG-CRYP-04 Testing for Weak Encryption

Timeline
2022–10–27: reported to the vendor
2022–12–19: TP-Link confirmed the issue was fixed in the new firmware published on 2022–11–21

--

--