{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/138043#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nA stack-based overflow vulnerability exists in the tinydhcp server in the Microchip Advanced Software Framework (ASF) that can lead to remote code execution.\r\n\r\n### Description\r\nAn implementation of DHCP in ASF fails input validation, thereby creating conditions for a stack-based overflow. The software is no longer supported by the vendor. Because this vulnerability is in IoT-centric code, it is likely to surface in many places in the wild.\r\n\r\n**CVE-2024-7490**\r\nThere exists a vulnerability in all publicly available examples of the ASF codebase that allows for a specially crafted DHCP request to cause a stack-based overflow that could lead to remote code execution.\r\n\r\n### Impact\r\nThis vulnerability can be tested by sending a single DHCP Request packet to a multicast address. This vulnerability exists in the current version of ASF 3.52.0.2574 and all previous versions of the software. There are also multiple forks of the tinydhcp software in github that are also potentially susceptible to this vulnerability.\r\n\r\n### Solution\r\nThe CERT/CC is currently unaware of a practical solution to this problem other than replacing the tinydhcp service with another one that does not have the same issue.\r\n\r\n### Acknowledgements\r\nThanks to the reporter Andrue Coombes of Amazon Element55. This document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"This software solution is no longer being supported by Microchip. Any remediation action will be to migrate to a current software solution that is under active maintenance from us.","title":"Vendor statment from Microchip Technology"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/138043"},{"url":"https://asf.microchip.com/docs/latest/","summary":"https://asf.microchip.com/docs/latest/"},{"url":"https://savannah.nongnu.org/projects/lwip/","summary":"https://savannah.nongnu.org/projects/lwip/"},{"url":"https://github.com/alfred-ai/microchip-asf/blob/bf5205e36a265b867d531647ffbf2de5e287853a/thirdparty/lwip/lwip-tinyservices/tinydhcpserver.c","summary":"https://github.com/alfred-ai/microchip-asf/blob/bf5205e36a265b867d531647ffbf2de5e287853a/thirdparty/lwip/lwip-tinyservices/tinydhcpserver.c"},{"url":"https://github.com/alfred-ai/microchip-asf/blob/bf5205e36a265b867d531647ffbf2de5e287853a/thirdparty/lwip/lwip-tinyservices/tinydhcpserver.c#L158","summary":"https://github.com/alfred-ai/microchip-asf/blob/bf5205e36a265b867d531647ffbf2de5e287853a/thirdparty/lwip/lwip-tinyservices/tinydhcpserver.c#L158"},{"url":"https://github.com/alfred-ai/microchip-asf/blob/bf5205e36a265b867d531647ffbf2de5e287853a/thirdparty/lwip/lwip-tinyservices/tinydhcpserver.c#L323","summary":"https://github.com/alfred-ai/microchip-asf/blob/bf5205e36a265b867d531647ffbf2de5e287853a/thirdparty/lwip/lwip-tinyservices/tinydhcpserver.c#L323"},{"url":"https://github.com/alfred-ai/microchip-asf/blob/bf5205e36a265b867d531647ffbf2de5e287853a/thirdparty/lwip/lwip-tinyservices/tinydhcpserver.c#L129","summary":"https://github.com/alfred-ai/microchip-asf/blob/bf5205e36a265b867d531647ffbf2de5e287853a/thirdparty/lwip/lwip-tinyservices/tinydhcpserver.c#L129"},{"url":"https://gallery.microchip.com/packages/4CE20911-D794-4550-8B94-6C66A93228B8/","summary":"https://gallery.microchip.com/packages/4CE20911-D794-4550-8B94-6C66A93228B8/"}],"title":"A stack-based overflow vulnerability exists in the Microchip Advanced Software Framework (ASF) implementation of the tinydhcp server","tracking":{"current_release_date":"2024-09-19T11:47:13+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#138043","initial_release_date":"2024-09-19 11:47:13.929871+00:00","revision_history":[{"date":"2024-09-19T11:47:13+00:00","number":"1.20240919114713.1","summary":"Released on 2024-09-19T11:47:13+00:00"}],"status":"final","version":"1.20240919114713.1"}},"vulnerabilities":[{"title":"There exists a vulnerability in all publicly available examples of the ASF codebase that allows for a specially crafted DHCP request to cause a stack based overflow that could lead to remote code execution.","notes":[{"category":"summary","text":"There exists a vulnerability in all publicly available examples of the ASF codebase that allows for a specially crafted DHCP request to cause a stack based overflow that could lead to remote code execution."}],"cve":"CVE-2024-7490","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#138043"}],"product_status":{"known_affected":["CSAFPID-b5c6c214-3476-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Microchip Technology","product":{"name":"Microchip Technology Products","product_id":"CSAFPID-b5c6c214-3476-11f1-8422-122e2785dc9f"}}]}}