TP-Link Easy Smart Switch security question

rajkosto · Jul 9, 2021, 7:39 PM

@apocalypse what chip is the v1 ? i assume the v2/v3 are RTL8370M ? or is it the other way around (in your first post you said it was RTL8370N which cant be because those are unmanaged)

Apocalypse · Jul 9, 2021, 7:57 PM

@rajkosto Yes, v1 has RTL8370N which is managed. Also Netgear GSS108E. You can get more information here: https://github-com.translate.goog/libc0607/Realtek_switch_hacking/blob/master/RTL8370N-SR8808M.md?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=es&_x_tr_pto=

There is even a Chinese firmware, with a web interface similar to that of TP-Link but without customization.

v2/v3 have RTL8367C. Yes, I know it is 5 ports but it is what appears in the TP-Link firmware if you open it with a hex editor.

v4/v5 I do not know.

rajkosto · Jul 9, 2021, 8:23 PM

@apocalypse this whole TP-Link situation is a mess anyway, both the firmwares available on their site are labeled 1.0.0 for some reason (even though one is clearly newer than the other, via date and build no), and they have both Easy Smart Configuration Utility and Unmanaged Pro Configuration Utility available on the website which is the exact same application just renamed...
i guess theres nothing else to do for my V2.0 other than to run V3.0 2017 firmware on it
EDIT: heh trying out the DHCP client feature and its bugged, both my "smart switches" ended up getting the same IP from openwrt dhcp server (maybe because i chained one into the other), however the easy smart config program was able to distinguish them and change settings independently ???

grocerylist · Jul 24, 2021, 8:48 PM

@johnpoz
I've flashed my v2 to the v3 firmware but I'm unable to remove VLAN1 from all ports. I'm able to remove VLAN1 from all ports but port 1. If I try to remove VLAN1 from port 1 the switch goes offline (i'm unable to save the config with VLAN1 deleted from port 1) and I have to reboot to get connectivity back. My goal is to remove VLAN1 and change the default native vlan to something other than 1. Were you able to do this with the v3 firmware or do you know if this is possible?

I now know I should have never bought one of these switches in the first place but if there's some way to get them to work, I'd like to try rather than tossing them in the trash. If I knew what I now know, I'd have never bought these "smart switches" and would have bought another Juniper EX2200-C.

Thanks!

Apocalypse · Jul 24, 2021, 8:54 PM

@grocerylist Should not. The Switch is accessible from any VLAN. Access it through a different VLAN than 1 on another port and try again.

grocerylist · Jul 24, 2021, 10:02 PM

This post is deleted!

risemann · Sep 25, 2021, 2:24 AM

Hi guys!
This topic was interesting for me when I was looking for any information about security of these cheap switches.
If I remember correctly it is mentioned here that similar Netgear switches have the ability to turn off their web-interface. I found an article which proposes a strange "hack" which might be left in the firmware intentionally. This "hack" allows to disable web-gui on my TL-SG105E V5 until next reboot. Actually not only web-gui but the ability to be reconfigured and to be discovered by the configuration utility.

Here is the command:
curl -d "username=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&logon=Login" -X POST http://192.168.0.1/logon.cgi

The length of the username does matter. It's kind of buffer overflow, which doesn't looks like very reliable and enterprise-ready method but it's all we have :)

risemann · Sep 25, 2021, 2:28 AM

Your beautiful ant the most intelligent anti-spam filter does not allow me to post a link to the original article.

johnpoz · Sep 25, 2021, 3:16 AM

@risemann said in TP-Link Easy Smart Switch security question:

Your beautiful ant the most intelligent anti-spam filter

heheh - yeah I have no idea how it figures out what links should be allowed what should not.. But it then allows clear spam all the time with links, etc.

If you PM the link, be happy to post it for you.

The article sounds interesting.. Yeah my 2 cents on those switches - say a freak away..

easycompany251 · Oct 5, 2021, 11:09 PM

Got a similar situation (I think) with another switch model - Netgear GS305EP.

VLAN1 is defaulted everywhere and cannot be removed from ports.

Reason I stumbled upon this is that I have this switch in front of PFSense - similar to a set up in which you only have 1 NIC on a PFSense box and basically whenever I connect this switch, PFSense is unable to acquire an IP from my ISP......which makes me think that somehow this switch is trying to pull an IP using DHCP from VLAN1.

johnpoz · Oct 5, 2021, 11:50 PM

@easycompany251 said in TP-Link Easy Smart Switch security question:

GS305EP

Hmmm - that is sad to hear, I do not have one to play with.. But not talking about deleting vlan 1 from the switch. Talking about removing it from a port when in 802.1q mode..

I looked for an emulator and can not find one to play with.. I have no use for a poe model, but I might be able to get non poe model the gs308e or gs305e to play with.. hmmm

easycompany251 · Oct 6, 2021, 5:22 AM

@johnpoz

Yeah I tried excluding it from all ports.....but the web-ui requires it for at least 1 port....

stephenw10 · Oct 6, 2021, 12:04 AM

If it's only on one port that's OK. The problem situation is when all ports are forced to always be a member of the same VLAN.

Steve

johnpoz · Oct 6, 2021, 5:22 AM

@easycompany251 said in TP-Link Easy Smart Switch security question:

but the web-ui requires it for at least 1 port....

Yeah as @stephenw10 stated leaving it on 1 port so you can get to the gui to admin, is prob a safety feature to prevent users from shooting themselves in the foot. And would be preferred to allowing all ports to be able to get to the gui.

easycompany251 · Oct 6, 2021, 10:43 PM

@stephenw10 @johnpoz

Right so after you mentioned VLAN1 being on a single port, I went back and was actually able to make it work.

Turns out I left the VLAN1 on all ports (as defaulted) and the switch does allow for it to be set to one. Never even thought about removing VLAN1 all together except for a single port.

Thanks!

surenz · Jul 1, 2022, 8:51 AM

@apocalypse Registered just to thank you about the great idea and tutorial.
It was just a mess what software to use for creation of the hex file but finally managed to do it with HxD.
Finally I have a web interface and latest security updates for this very old device (Netgear latest firmware 1.6.0.9 is updated 1 year ago where the TP-Link's is from the 2014).

Jul 12, 2022, 10:44 PM

Several ways here might be able to go with gaining the entire security using dump switches and/or smart ones up to real small layer3 switches.

Plain Routing (using dump switches)
If you are using the pfSense as firewall you may be able to set up on any LAN port a small or greater dump switch.

Network plugs in the wall --- patch panel --- some ports from patch panel to a dump switches --- dump switch to the pfSense firewall

So will be able to connect all WiFi APs to one Switch
Livingroom and house electric (smarthome) to another one
sons room to one switch
daughters room to one switch

and each of the switches will be connected to one LAN port of the pfSense, you may be now routing it all
through the pfSense and you work with rules.

Pro

cheap
easy to manage

Cons

but only one routing point
firewall must do the entire routing

Smart Switches (Using VLANs)
If you are using a smart switch you may be able to work with VLANs in your network and segment it in to many parts. You can now work with rules on the pfSense and
on top with ACLs on the Switch directly. The VLAN1 or VLAN0 is often so called default VLAM or management VLAN used only by the admin. After you were creating all your VLANs often you lay over another one (one over all the others) but not the VLAN1 (default) and with ACLs
you may now creating who has hands on what VLAN.

Pros

cheap
small broadcast domain
better overview over devices
better structured or segmented network
the admin owns now a management VLAN

Cons

ARP spoofing is not solved
Inter VLAN hopping is not solved
VLANs must be created and ACLs must be set up
the management VLAN can be miss used by others

Greater Smart or managed Switches VLANs, MacSec, multiple Radius auth. for each switch port

You will be setting up VLANs as before;

one management VLAN1 (default)
all other with a great one over all others
Setting up ACLs

But now you will be able to turn on MacSec, and now one is able to sniff inside of that Switch(es), you will be able to stack them (ring) to better manage them. And you will be able to set up on your pfSense the FreeRadius package or
another FreeRadius server on an RaspBerry PI or PC Engines APU1/2/3/4/6 if needed. You will be able to gain your security over installing OpenLDAP (wired clients),
FreeRadius Server with certificates, (wired and wireless clients) and now you will be able to put any device into its own VLANs by using a radius certificate and I mean not only for the wireless clients.

Pros

Building stacks (ring)
often MIBS for Nagios or PRTG
each devices will be put in the right VLAN (certificates)
MacSec is able to turn on (no sniffers)
Switch Ports with multiple certificate authentication are
not any more allowing to finger at the VLAN1 (default)
no y-cable usage and/or foreign devices in your network
much can be realized over pfSense itself or a small RaspBerry PI 2/3/4

Cons

not so cheap as the other ways
more management and admin power or work
more complicated and also a much more hit on the
entire LAN network cable (MacSec and Radius with certificates and encryption will be using much horse power)

Managed switches (greater ones)
You can be often her and in the section before getting hands on layer3 license and/or they will be also in all
other segments being sold as real layer3 switches such
the Cisco SG300 or SG350 series. You will be getting all as above mentioned but on top layer3 that let route the entire VLANs it self and free the pfSense firewall from that
workload. Often stacking modules will be also available
for such managed switches. It is often also offered some
different routing methods like RIP-2, IGMP, VRRP, OSPFv2, PIM-SM, static IP Routing, PIM-DM and others so it is more interesting what your pfSense firewall is set up
and/or using to the WAN side and the LAN side too.

Pros

Stackable, Layer3 Licences available
more routing protocols available
faster and more powerful
better connect and support to the WAN routing device
(pending on the used routing protocols there)

Cons

high cost
high electric power using
much more complicate to manage
not for all circumstances and users

spaghetti_trash · Apr 11, 2023, 8:24 AM

Hi everyone, I recently bought the v6.0 version of this switch (TL-SG108E) and updated its firmware to the latest version (TL-SG108E(UN)_V6_1.0.0 Build 20230218) released last February.

Can you confirm the vulnerability is still there?

I personally tried to relegate the management interface to a single port but I was nonetheless able to access it from every other port.

noplan · Apr 11, 2023, 9:01 AM

@spaghetti_trash

have u tested it ?

spaghetti_trash · Apr 11, 2023, 9:30 AM

@noplan I assigned vlan 90 to port 5 and made it not a member of vlan 1. Devices plugged into port 5 got the correct address via DHCP but could still access the management interface in vlan 1. Additionally, I could also manually force these devices to get an IP from vlan 1.

I asked to make sure I did not miss anything during my tests, especially because TP-link talks about "security" enhancements in the release notes of their latest firmware. So I was hoping they had actually fixed this problem.