CVE-2024-7490

Summary

Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow. This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option.

This issue affects Advanced Software Framework: through 3.52.0.2574.

ASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework.

Affected Software

VendorProductVersion RangeStatus
Microchip TechologyAdvanced Software Framework0 <= 3.52.0.2574affected

Weaknesses

  • CWE-120: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Workarounds

The issue can be mitigated by adding a check to the size variable after the call [1] to pbuf_get_at on line 127 [1]. If the size variable is not 4, then the function should cease processing and return. The lwip_dhcp_find_option function is only used to find this one option.

[1] https://github.com/alfred-ai/microchip-asf/blob/bf5205e36a265b867d531647ffbf2de5e287853a/thirdparty/lwip/lwip-tinyservices/tinydhcpserver.c#L127

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References