CVE-2024-4065 in AC8
Summary
by MITRE • 04/23/2024
A vulnerability was found in Tenda AC8 16.03.34.09. It has been rated as critical. This issue affects the function formSetRebootTimer of the file /goform/SetRebootTimer. The manipulation of the argument rebootTime leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-261791. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/22/2025
The vulnerability identified as CVE-2024-4065 represents a critical stack-based buffer overflow in the Tenda AC8 router firmware version 16.03.34.09. This flaw exists within the web-based administration interface, specifically in the formSetRebootTimer function located at /goform/SetRebootTimer. The issue stems from inadequate input validation and bounds checking when processing the rebootTime parameter, creating a pathway for attackers to execute arbitrary code on the affected device. The vulnerability's remote exploitability means that an attacker can trigger the buffer overflow without physical access to the device, making it particularly dangerous for network-connected IoT devices.
The technical implementation of this vulnerability follows a classic stack-based buffer overflow pattern where the rebootTime argument is processed without proper size validation, allowing an attacker to overwrite adjacent memory locations on the stack. This type of vulnerability falls under CWE-121, which specifically addresses stack-based buffer overflow conditions, and aligns with ATT&CK technique T1059.007 for command and scripting interpreter usage. The buffer overflow can potentially lead to arbitrary code execution, privilege escalation, and complete system compromise, as the stack corruption may allow attackers to redirect program execution flow to malicious payloads injected into the vulnerable parameter.
The operational impact of this vulnerability extends beyond simple device compromise, as routers serve as critical network infrastructure points that can provide attackers with persistent access to entire network segments. Once exploited, the attacker could gain root access to the router, enabling them to modify network configurations, intercept traffic, create backdoors, or use the device as a pivot point for attacking other systems within the network. The fact that this vulnerability has been publicly disclosed and has an associated VDB-261791 identifier indicates that it is likely already being actively exploited in the wild, posing an immediate threat to organizations and individuals using affected Tenda AC8 devices.
Mitigation strategies for CVE-2024-4065 should include immediate firmware updates from Tenda if available, though the vendor's lack of response to early disclosure concerns raises questions about the availability of patched versions. Network segmentation and access control measures should be implemented to limit exposure of affected devices to untrusted networks, while monitoring for unusual network traffic patterns or unauthorized configuration changes can help detect potential exploitation attempts. Security professionals should also consider implementing intrusion detection systems that can identify malicious requests targeting the vulnerable /goform/SetRebootTimer endpoint, and organizations should conduct comprehensive inventory audits to identify all affected Tenda AC8 devices within their network infrastructure to ensure proper remediation.