A significant security vulnerability has been identified in the Microchip Advanced Software Framework (ASF), which, if leveraged, could enable remote code execution.
This issue, designated as CVE-2024-7490, has received a CVSS score of 9.5 out of a possible 10. The vulnerability constitutes a stack overflow fault within ASF’s implementation of the tinydhcp server, primarily due to insufficient input validation mechanisms.
The CERT Coordination Center (CERT/CC) noted in an advisory that “a vulnerability exists in all publicly accessible examples of the ASF codebase, allowing an engineered DHCP request to induce a stack-based overflow, which can lead to remote code execution.”
Given that the software is outdated and specifically targeted at IoT frameworks, CERT/CC has expressed concerns that this vulnerability may be prevalent across various platforms in operational environments.
The issue affects ASF version 3.52.0.2574 and all earlier iterations, with the agency indicating that several derivatives of the tinydhcp application may also be vulnerable. Currently, no patches or mitigative strategies have been released to rectify CVE-2024-7490 except for replacing the tinydhcp service with an alternate solution.
This disclosure coincides with findings from SonicWall Capture Labs, which revealed a critical zero-click vulnerability associated with MediaTek Wi-Fi chipsets (CVE-2024-20017, CVSS 9.8) that could facilitate remote code execution without the need for user interaction, stemming from an out-of-bounds write issue.
SonicWall highlighted that “the afflicted versions encompass MediaTek SDK versions 7.4.0.1 and preceding, as well as OpenWrt versions 19.07 and 21.02,” consequently endangering a wide array of devices, including routers and smartphones.
This vulnerability arises from a buffer overflow attributable to a length value derived directly from adversary-controlled packet data, lacking proper bounds checking before being copied into memory, resulting in an out-of-bounds write.
While MediaTek issued a patch for the vulnerability in March 2024, the emergence of a publicly available proof-of-concept exploit as of August 30, 2024, significantly raises the risk of exploitation.
