A crucial safety flaw has been disclosed within the Microchip Complicated Device Framework (ASF) that, if effectively exploited, may just result in far flung code execution.
The vulnerability, tracked as CVE-2024-7490, carries a CVSS ranking of 9.5 out of a most of 10.0. It’s been described as a stack-based overflow vulnerability in ASF’s implementation of the tinydhcp server stemming from a loss of ok enter validation.
“There exists a vulnerability in all publicly to be had examples of the ASF codebase that permits for a specifically crafted DHCP request to motive a stack-based overflow that might result in far flung code execution,” CERT Coordination Middle (CERT/CC) stated in an advisory.
For the reason that the instrument is now not supported and is rooted in IoT-centric code, CERT/CC has warned that the vulnerability is “prone to floor in lots of puts within the wild.”
The problem affects ASF 3.52.0.2574 and all prior variations of the instrument, with the company additionally noting that a couple of forks of the tinydhcp instrument are most likely vulnerable to the flaw as neatly.
There are recently no fixes or mitigations to handle CVE-2024-7490, barring changing the tinydhcp provider with every other one that doesn’t have the similar factor.
The advance comes as SonicWall Seize Labs detailed a critical zero-click vulnerability affecting MediaTek Wi-Fi chipsets (CVE-2024-20017, CVSS 9.8) that might open the door to far flung code execution with out requiring any person interplay because of an out-of-bounds write factor.
“The affected variations come with MediaTek SDK variations 7.4.0.1 and previous, in addition to OpenWrt 19.07 and 21.02,” the corporate stated. “This interprets to a big number of inclined units, together with routers and smartphones.”
“The vulnerability is a buffer overflow because of a period price taken immediately from attacker-controlled packet information with out bounds checking and positioned right into a reminiscence replica. This buffer overflow creates an out-of-bounds write.”
A patch for the vulnerability used to be launched by way of MediaTek in March 2024, even though the chance of exploitation has larger with the general public availability of a proof-of-concept (PoC) exploit as of August 30, 2024.