 |
A significant security hole has been revealed in the Microchip Advanced Software Framework (ASF) that, if properly exploited, might lead to remote code execution.
The vulnerability, identified as CVE-2024-7490, receives a CVSS score of 9.5 out of a maximum of 10.0. It has been reported as a stack-based overflow vulnerability in ASF's implementation of the tinydhcp server coming from a lack of proper input validation.
"There exists a vulnerability in all publicly available examples of the ASF codebase that allows for a specially crafted DHCP request to cause a stack-based overflow that could lead to remote code execution," CERT Coordination Center (CERT/CC) noted in an alert.
Given that the software is no longer maintained and is based in IoT-centric programming, CERT/CC has warned that the vulnerability is "likely to surface in many places in the wild."
The bug covers ASF 3.52.0.2574 and all preceding versions of the program, with the agency adding warning that numerous branches of the tinydhcp software are likely vulnerable to the flaw as well.
There are currently no patches or mitigations to solve CVE-2024-7490, except replacing the tinydhcp service with another one that does not have the same vulnerability.
The development comes after SonicWall Capture Labs highlighted a serious zero-click vulnerability affecting MediaTek Wi-Fi chipsets (CVE-2024-20017, CVSS 9.8) that might open the door to remote code execution without needing any user involvement owing to an out-of-bounds write problem.
"The affected versions include MediaTek SDK versions 7.4.0.1 and earlier, as well as OpenWrt 19.07 and 21.02," the firm added. "This translates to a large variety of vulnerable devices, including routers and smartphones."
"The vulnerability is a buffer overflow as a consequence of a length value grabbed straight from attacker-controlled packet data without bounds checking and inserted into a memory copy. This buffer overflow generates an out-of-bounds write."
A fix for the vulnerability was issued by MediaTek in March 2024, however the chance of exploitation has grown with the public availability of a proof-of-concept (PoC) attack as of August 30, 2024.