CVE-2022-24152 in AX3
Summary
by MITRE • 02/04/2022
Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function fromSetRouteStatic. This vulnerability allows attackers to cause a Denial of Service (DoS) via the list parameter.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/05/2022
The vulnerability identified as CVE-2022-24152 affects the Tenda AX3 router firmware version v16.03.12.10_CN and represents a critical stack overflow condition within the fromSetRouteStatic function. This type of vulnerability falls under the Common Weakness Enumeration category CWE-121, which specifically addresses stack-based buffer overflows where insufficient bounds checking allows attackers to overwrite adjacent memory locations on the stack. The flaw manifests when the router processes the list parameter, indicating that input validation mechanisms are inadequate to prevent malicious data from exceeding allocated buffer boundaries.
The technical implementation of this vulnerability occurs within the router's web interface handling mechanism where user-supplied parameters are directly processed without proper sanitization or size verification. When an attacker crafts a malicious payload containing an excessively long list parameter, the fromSetRouteStatic function fails to validate the input length before copying data into a fixed-size stack buffer. This condition creates an exploitable scenario where the overflow can overwrite return addresses, function pointers, and other critical stack memory segments, leading to unpredictable behavior and system instability. The vulnerability specifically targets the router's routing configuration functionality, suggesting that the issue stems from how static route parameters are processed within the device's configuration management system.
The operational impact of this vulnerability extends beyond simple denial of service conditions to potentially enable more sophisticated attack vectors. While the primary effect is a denial of service that renders the router inaccessible to legitimate users, the stack overflow condition creates opportunities for attackers to execute arbitrary code or manipulate the device's operational state. This represents a significant concern for network infrastructure devices, as the router's core routing functionality becomes compromised and can be exploited to disrupt network connectivity for all connected devices. The vulnerability affects the device's web management interface, meaning that exploitation can occur remotely without requiring physical access to the device, aligning with ATT&CK technique T1219 for remote access and T1499 for network disruption.
Mitigation strategies for CVE-2022-24152 should prioritize immediate firmware updates from Tenda to address the underlying buffer overflow condition in the fromSetRouteStatic function. Network administrators should implement network segmentation and access controls to limit exposure of affected routers to untrusted networks, while also monitoring for anomalous traffic patterns that might indicate exploitation attempts. The vulnerability demonstrates the importance of input validation and bounds checking in embedded systems, particularly those handling user-provided parameters in web interfaces. Security professionals should also consider implementing network-based intrusion detection systems that can identify malformed requests targeting the affected parameter structure, as the vulnerability creates predictable attack patterns that can be detected through traffic analysis. Additionally, organizations should conduct thorough inventory assessments to identify all affected Tenda AX3 devices within their network infrastructure and prioritize remediation efforts based on the criticality of each device's role in the network topology.