TP-Link Easy Smart Switch security question
-
TP-Link released beta firmware on July 2017 for both SG105E and SG108E, anyone care to try?
Link:
http://static.tp-link.com/TL-SG105E(UN)_V3_170717_Beta.rar
http://static.tp-link.com/TL-SG108E(UN)_V3_170717_Beta.rar -
did they release for v2?
-
Mmm, did they release for anything else? Is there an announcement anywhere?
Steve
-
Not that I could find.. Typical it seems for this company..
-
So my sg108e is directly connected to my cable modem with untagged VLAN x and PVID x.
How worried should I be about the VLAN 1 membership?
Wouldn't an attacker need to be in my cable/wan subnet? -
I would not use that switch on WAN. It's a sketchy enough proposition with a good switch with a proper management VLAN.
-
Security wise for a switch on WAN how about a RADIUS server?
Doesn't pfSense even have a package for that?
Never used it before so might not work at all?
-
What?
-
Will add about security of this devices…
TL-SG1016DE security of changes value without any authentication.
It from testing of my device… VLAN1 is problem.
Now SG1016DE used only internally. -
Hi guys,
Since TP-Link refused to give me the source code so I decided to take on this issue myself.
Here is how you can hack ( un-member ports on vlan1). I have already tested on the SG108PE (hw version 3) switch and it worked.
1. Setup your vlan configuration as usual
2. Save the config (config.cfg)
3. Open it up with a Hex-editor. Right after the text "Default_VLAN" you will see FF (that's basically means all 8 ports are member of untagged vlan1). Change it to 00 if you want to un-member all ports from vlan1. As shown in the attached picture, I changed it to 80 because I still wanted port 8 to be a member of vlan1 so that I can manage the switch from web-gui.
4. Save the file, restore the modified config in system:system_tools:restore_config
5. Wait for the switch to reboot, goto vlan config, notice that ports belonging to vlan1 are changed.Cheers! I still hope for tp-link to fix this VLAN1 bug one day! This is just a work-around.
-
I'll have to give that a try with my 5 port switch. I don't suppose you'd have a fix for their TL-WA901N access point. ;)
It has the same problem where data from the native LAN leaks into the VLAN & 2nd SSID.I think those TP Link engineers need a lesson or 2 on VLANs.
-
That fix doesn't seem to apply to the TL-SG105E switch.
-
That fix doesn't seem to apply to the TL-SG105E switch.
Were you able to see the port assignment changed in step# 5?
by the way, i saw vlan isolation w/ the work-around solution. The only thing I saw strange was that the switch's IP address is a member of all vlans. If I were to change my PC's IP address to the same subnet of the switch, I could communicate to it on non-native vlan, which is kinda weird.
However, the switch is no longer behaving like a dumb switch because ports are removed from vlan1.
-
I will give this a try on 105E v2 tonight when I get home.. Great info.. Thanks.
-
Some analyze information about apply this method to TL-SG1016DE (HW:2)
vlan:777,port: 5tag, name: TESTVVV
777 = 0x0309 (0x09 0x03)
5 = 0x10 (0001 0000) 5 bit.
vlan:777,port: 5untag, name: TESTVVV
777 = 0x0309 (0x09 0x03)
5 = 0x10 (0001 0000) 5 bit.
-
Here is how you can hack ( un-member ports on vlan1). I have already tested on the SG108PE (hw version 3) switch and it worked.
Worked on my TL-SG108E 2.0, thanks!
Why didn't I think of this… ::)
-
Were you able to see the port assignment changed in step# 5?
No, there was very little recognizable text in the hex editor. I did not see the word "Default", as shown in lexxai's post.
The only thing I saw strange was that the switch's IP address is a member of all vlans. If I were to change my PC's IP address to the same subnet of the switch, I could communicate to it on non-native vlan, which is kinda weird.
On managed switches I've worked on, there was a specific management interface, which was assigned an IP address. I've also set up networks where the management interface was on a separate VLAN.
-
The only thing I saw strange was that the switch's IP address is a member of all vlans. If I were to change my PC's IP address to the same subnet of the switch, I could communicate to it on non-native vlan, which is kinda weird.
On managed switches I've worked on, there was a specific management interface, which was assigned an IP address. I've also set up networks where the management interface was on a separate VLAN.
Even after setting the VLAN 1 membership to port 8 only… I can still connect a client to any switch port, set the IP to the same subnet and then access the switch web login.
So the VLAN 1 has no relevance for web admin access... I guess we can kill all VLAN 1 membership with the HEX hack..!? -
Hmm, well this is interesting. Implies it's a gui limitation only.
The exact string Default_VLAN does not appear in the config from a TL-SG1016DE v1. Not quite the same as the v2 either. Some experimentation needed….
Steve
.cfg - GHex_311.png)
.cfg - GHex_311.png_thumb) -
Even after setting the VLAN 1 membership to port 8 only… I can still connect a client to any switch port, set the IP to the same subnet and then access the switch web login.
So the VLAN 1 has no relevance for web admin access... I guess we can kill all VLAN 1 membership with the HEX hack..!?I saw that too. It looks like the switch (management IP) is a member of all vlans, and that the gui an be accessed from any access-ports. However, the gui can not be accessed on a trunk port (tagged port), unless you configure another vlan w/ the trunk port configured as untagged port. Attached is a picture of my improved config where I ended up removing all ports from vlan1.
Although I can access the swith's management interface on any access-ports (untagged ports), I can not access PCs that belong on another VLAN. Would you please confirm that's what you're seeing too? thanks
