TP-Link Easy Smart Switch security question

grocerylist

@johnpoz
I've flashed my v2 to the v3 firmware but I'm unable to remove VLAN1 from all ports. I'm able to remove VLAN1 from all ports but port 1. If I try to remove VLAN1 from port 1 the switch goes offline (i'm unable to save the config with VLAN1 deleted from port 1) and I have to reboot to get connectivity back. My goal is to remove VLAN1 and change the default native vlan to something other than 1. Were you able to do this with the v3 firmware or do you know if this is possible?

I now know I should have never bought one of these switches in the first place but if there's some way to get them to work, I'd like to try rather than tossing them in the trash. If I knew what I now know, I'd have never bought these "smart switches" and would have bought another Juniper EX2200-C.

Thanks!

Apocalypse

@grocerylist Should not. The Switch is accessible from any VLAN. Access it through a different VLAN than 1 on another port and try again.

grocerylist

This post is deleted!

risemann

Hi guys!
This topic was interesting for me when I was looking for any information about security of these cheap switches.
If I remember correctly it is mentioned here that similar Netgear switches have the ability to turn off their web-interface. I found an article which proposes a strange "hack" which might be left in the firmware intentionally. This "hack" allows to disable web-gui on my TL-SG105E V5 until next reboot. Actually not only web-gui but the ability to be reconfigured and to be discovered by the configuration utility.

Here is the command:
curl -d "username=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&logon=Login" -X POST http://192.168.0.1/logon.cgi

The length of the username does matter. It's kind of buffer overflow, which doesn't looks like very reliable and enterprise-ready method but it's all we have :)

risemann

Your beautiful ant the most intelligent anti-spam filter does not allow me to post a link to the original article.

johnpoz

@risemann said in TP-Link Easy Smart Switch security question:

Your beautiful ant the most intelligent anti-spam filter

heheh - yeah I have no idea how it figures out what links should be allowed what should not.. But it then allows clear spam all the time with links, etc.

If you PM the link, be happy to post it for you.

The article sounds interesting.. Yeah my 2 cents on those switches - say a freak away..

easycompany251

Got a similar situation (I think) with another switch model - Netgear GS305EP.

VLAN1 is defaulted everywhere and cannot be removed from ports.

Reason I stumbled upon this is that I have this switch in front of PFSense - similar to a set up in which you only have 1 NIC on a PFSense box and basically whenever I connect this switch, PFSense is unable to acquire an IP from my ISP......which makes me think that somehow this switch is trying to pull an IP using DHCP from VLAN1.

johnpoz

@easycompany251 said in TP-Link Easy Smart Switch security question:

GS305EP

Hmmm - that is sad to hear, I do not have one to play with.. But not talking about deleting vlan 1 from the switch. Talking about removing it from a port when in 802.1q mode..

I looked for an emulator and can not find one to play with.. I have no use for a poe model, but I might be able to get non poe model the gs308e or gs305e to play with.. hmmm

easycompany251

@johnpoz

Yeah I tried excluding it from all ports.....but the web-ui requires it for at least 1 port....

stephenw10

If it's only on one port that's OK. The problem situation is when all ports are forced to always be a member of the same VLAN.

Steve

johnpoz

@easycompany251 said in TP-Link Easy Smart Switch security question:

but the web-ui requires it for at least 1 port....

Yeah as @stephenw10 stated leaving it on 1 port so you can get to the gui to admin, is prob a safety feature to prevent users from shooting themselves in the foot. And would be preferred to allowing all ports to be able to get to the gui.

easycompany251

@stephenw10 @johnpoz

Right so after you mentioned VLAN1 being on a single port, I went back and was actually able to make it work.

Turns out I left the VLAN1 on all ports (as defaulted) and the switch does allow for it to be set to one. Never even thought about removing VLAN1 all together except for a single port.

Thanks!

surenz

@apocalypse Registered just to thank you about the great idea and tutorial.
It was just a mess what software to use for creation of the hex file but finally managed to do it with HxD.
Finally I have a web interface and latest security updates for this very old device (Netgear latest firmware 1.6.0.9 is updated 1 year ago where the TP-Link's is from the 2014).

A Former User

Several ways here might be able to go with gaining the entire security using dump switches and/or smart ones up to real small layer3 switches.

Plain Routing (using dump switches)
If you are using the pfSense as firewall you may be able to set up on any LAN port a small or greater dump switch.

Network plugs in the wall --- patch panel --- some ports from patch panel to a dump switches --- dump switch to the pfSense firewall

So will be able to connect all WiFi APs to one Switch
Livingroom and house electric (smarthome) to another one
sons room to one switch
daughters room to one switch

and each of the switches will be connected to one LAN port of the pfSense, you may be now routing it all
through the pfSense and you work with rules.

Pro

• cheap
• easy to manage

Cons

• but only one routing point
• firewall must do the entire routing

Smart Switches (Using VLANs)
If you are using a smart switch you may be able to work with VLANs in your network and segment it in to many parts. You can now work with rules on the pfSense and
on top with ACLs on the Switch directly. The VLAN1 or VLAN0 is often so called default VLAM or management VLAN used only by the admin. After you were creating all your VLANs often you lay over another one (one over all the others) but not the VLAN1 (default) and with ACLs
you may now creating who has hands on what VLAN.

Pros

• cheap
• small broadcast domain
• better overview over devices
• better structured or segmented network
• the admin owns now a management VLAN

Cons

• ARP spoofing is not solved
• Inter VLAN hopping is not solved
• VLANs must be created and ACLs must be set up
• the management VLAN can be miss used by others

Greater Smart or managed Switches VLANs, MacSec, multiple Radius auth. for each switch port

You will be setting up VLANs as before;

• one management VLAN1 (default)
• all other with a great one over all others
• Setting up ACLs

But now you will be able to turn on MacSec, and now one is able to sniff inside of that Switch(es), you will be able to stack them (ring) to better manage them. And you will be able to set up on your pfSense the FreeRadius package or
another FreeRadius server on an RaspBerry PI or PC Engines APU1/2/3/4/6 if needed. You will be able to gain your security over installing OpenLDAP (wired clients),
FreeRadius Server with certificates, (wired and wireless clients) and now you will be able to put any device into its own VLANs by using a radius certificate and I mean not only for the wireless clients.

Pros

• Building stacks (ring)
• often MIBS for Nagios or PRTG
• each devices will be put in the right VLAN (certificates)
• MacSec is able to turn on (no sniffers)
• Switch Ports with multiple certificate authentication are
  not any more allowing to finger at the VLAN1 (default)
• no y-cable usage and/or foreign devices in your network
• much can be realized over pfSense itself or a small RaspBerry PI 2/3/4

Cons

• not so cheap as the other ways
• more management and admin power or work
• more complicated and also a much more hit on the
  entire LAN network cable (MacSec and Radius with certificates and encryption will be using much horse power)

Managed switches (greater ones)
You can be often her and in the section before getting hands on layer3 license and/or they will be also in all
other segments being sold as real layer3 switches such
the Cisco SG300 or SG350 series. You will be getting all as above mentioned but on top layer3 that let route the entire VLANs it self and free the pfSense firewall from that
workload. Often stacking modules will be also available
for such managed switches. It is often also offered some
different routing methods like RIP-2, IGMP, VRRP, OSPFv2, PIM-SM, static IP Routing, PIM-DM and others so it is more interesting what your pfSense firewall is set up
and/or using to the WAN side and the LAN side too.

Pros

• Stackable, Layer3 Licences available
• more routing protocols available
• faster and more powerful
• better connect and support to the WAN routing device
  (pending on the used routing protocols there)

Cons

• high cost
• high electric power using
• much more complicate to manage
• not for all circumstances and users

spaghetti_trash

Hi everyone, I recently bought the v6.0 version of this switch (TL-SG108E) and updated its firmware to the latest version (TL-SG108E(UN)_V6_1.0.0 Build 20230218) released last February.

Can you confirm the vulnerability is still there?

I personally tried to relegate the management interface to a single port but I was nonetheless able to access it from every other port.

noplan

@spaghetti_trash

have u tested it ?

spaghetti_trash

@noplan I assigned vlan 90 to port 5 and made it not a member of vlan 1. Devices plugged into port 5 got the correct address via DHCP but could still access the management interface in vlan 1. Additionally, I could also manually force these devices to get an IP from vlan 1.

I asked to make sure I did not miss anything during my tests, especially because TP-link talks about "security" enhancements in the release notes of their latest firmware. So I was hoping they had actually fixed this problem.

noplan

@spaghetti_trash

hi,

last time i checked it was possible to remove the port from any membership or vlan 1

gonna look up where this switch (sg-108e) is doin his job right now ... and check back
keep you posted

br np

NicklyJohn

@noplan Any luck?

Are you removing the ports using the web gui or @tpham3783 's guide for hexadecimal hacking a config backup?

EDIT: I was able to set a port to 2 to a different VLAN and it stopped showing for VLAN1:

Apocalypse

@NicklyJohn You are confusing port based VLAN and 802.1q based VLAN.
However, since v3.0 it is possible to remove any port from VLAN1 in 802.1q VLAN Tag.