A critical security flaw has been discovered in the Microchip Advanced Software Framework (ASF) that, if successfully exploited, could lead to remote code execution.
Vulnerability, tracked as CVE-2024-7490has a CVSS score of 9.5 out of a maximum of 10.0. This has been described as a stack overflow vulnerability in the ASF implementation of the tinydhcp server that results from a lack of proper input validation.
“A vulnerability exists in all publicly available examples of the ASF codebase that allows a specially crafted DHCP request to cause a stack overflow that could lead to remote code execution,” CERT Coordination Center (CERT/CC) said in the consulting room.
Given that the software is no longer supported and is based on IoT-focused code, CERT/CC warns that the vulnerability is “likely to appear in many places in the wild.”
The problem affects ASF 3.52.0.2574 and all previous versions of the software, with the agency also noting that several forks of the tinydhcp software are also likely to be susceptible to the flaw.
There are currently no fixes or mitigations to address CVE-2024-7490, other than replacing the tinydhcp service with another that does not have the same problem.
The development comes after SonicWall Capture Labs detailed a serious no-click vulnerability affecting MediaTek Wi-Fi chipsets (CVE-2024-20017CVSS 9.8), which can open the door to remote code execution without the need for user interaction due to the out-of-bounds write problem.
“Affected versions include MediaTek SDK version 7.4.0.1 and earlier, as well as OpenWrt 19.07 and 21.02,” the company said in a statement. said. “This means a large number of vulnerable devices, including routers and smartphones.”
“The vulnerability is a buffer overflow resulting from a length value taken directly from attacker-controlled packet data without bounds checking and placed in a memory copy. This buffer overflow creates an out-of-bounds write.’
There was a patch for the vulnerability released MediaTek in March 2024, although the likelihood of use has increased along with public access exploit proof-of-concept (PoC) as of August 30, 2024.
