CVE-2024-3910 in AC500info

Summary

by MITRE • 04/17/2024

A vulnerability, which was classified as critical, has been found in Tenda AC500 2.0.1.9(1307). Affected by this issue is the function fromDhcpListClient of the file /goform/DhcpListClient. The manipulation of the argument page leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-261146 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 01/22/2025

The vulnerability identified as CVE-2024-3910 represents a critical stack-based buffer overflow flaw within the Tenda AC500 wireless router firmware version 2.0.1.9(1307). This vulnerability resides in the DhcpListClient function located within the /goform/DhcpListClient file, making it accessible through the web interface of the affected device. The specific flaw occurs when processing the page argument parameter, which allows attackers to manipulate input data in a manner that exceeds the allocated buffer space on the stack. This type of vulnerability falls under CWE-121 Stack-based Buffer Overflow, which is classified as a fundamental memory safety issue that can lead to arbitrary code execution.

The technical exploitation of this vulnerability enables remote attackers to achieve arbitrary code execution on the affected device through a specially crafted HTTP request targeting the vulnerable web form endpoint. The stack-based buffer overflow occurs when the page parameter exceeds the predefined buffer size allocated for handling DHCP client list pagination requests. This allows attackers to overwrite adjacent stack memory locations, potentially corrupting program execution flow and enabling malicious code injection. The vulnerability's remote exploitability means that no physical access or local network presence is required for successful exploitation, making it particularly dangerous for networked devices. According to ATT&CK framework, this vulnerability maps to T1210 Exploitation of Remote Services and T1059 Command and Scripting Interpreter, as it allows for remote command execution through web interface manipulation.

The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with complete control over the affected router's functionality. Once exploited, attackers can manipulate network traffic, redirect DNS requests, modify firewall rules, and potentially establish persistent backdoors within the network infrastructure. The device's role as a central networking hub makes this vulnerability particularly dangerous for home and small office networks, where it could provide attackers with a foothold for broader network infiltration. The lack of vendor response to early disclosure attempts compounds the risk, as users remain unaware of the vulnerability's existence and potential exploitation. This vulnerability affects not only the router's administrative functions but also its core networking capabilities, potentially disrupting network services and enabling man-in-the-middle attacks. The public disclosure of the exploit code in VDB-261146 further increases the risk, as it removes the barrier to entry for less sophisticated attackers who can simply deploy the existing exploit to compromise affected devices.

Organizations and individuals should immediately implement mitigations including firmware updates from the vendor if available, network segmentation to isolate affected devices, and monitoring for unusual network traffic patterns. Network administrators should consider disabling unnecessary web management interfaces and implementing intrusion detection systems to identify exploitation attempts. The vulnerability highlights the importance of firmware security auditing and proper input validation in embedded network devices. Given the critical nature of this vulnerability and the absence of vendor response, users should consider alternative firmware options such as OpenWrt or DD-WRT if the device is still supported, or replace the affected hardware entirely. The incident underscores the broader challenge of securing IoT and networking equipment where vendors may not provide timely security updates or responses to vulnerability reports.

Responsible

VulDB

Reservation

04/17/2024

Disclosure

04/17/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.01730

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!