CVE-2023-38909

Name of the Vulnerable Software and Affected Versions TP-Link Tapo L530 versions prior to 1.2.4 TP-Link Tapo L510E versions prior to 1.1.0 TP-Link Tapo L630 versions prior to 1.0.4 TP-Link Tapo P100 versions prior to 1.5.0 Tapo Application versions prior to 2.8.14

Description The issue is related to the lack of use of a random initialization vector with the cipher block chaining mode, allowing a remote attacker to obtain sensitive information via the IV component in the AES128-CBC function. This can enable a brute force attack.

Recommendations For TP-Link Tapo L530 versions prior to 1.2.4, update to version 1.2.4 or later. For TP-Link Tapo L510E versions prior to 1.1.0, update to version 1.1.0 or later. For TP-Link Tapo L630 versions prior to 1.0.4, update to version 1.0.4 or later. For TP-Link Tapo P100 versions prior to 1.5.0, update to version 1.5.0 or later. For Tapo Application versions prior to 2.8.14, update to version 2.8.14 or later. As a temporary workaround, consider restricting access to the AES128-CBC function until a patch is available.