September 23, 2024 at 10:00AM
The CERT Coordination Center at Carnegie Mellon University has issued an advisory for a critical flaw in Microchip’s Advanced Software Framework (ASF) that allows remote code execution via specially crafted DHCP requests. The security issue affects ASF 3.52.0.2574 and older versions, with no practical solution other than replacing the vulnerable Tinydhcp service.
Key takeaways from the meeting notes are as follows:
1. CERT Coordination Center (CERT/CC) at Carnegie Mellon University has issued an advisory regarding a critical flaw in Microchip’s Advanced Software Framework (ASF).
2. The security vulnerability, tracked as CVE-2024-7490, allows for remote code execution using specially crafted DHCP requests due to a stack-based overflow in ASF’s implementation of the Tinydhcp server.
3. This vulnerability affects ASF 3.52.0.2574 and all previous versions, as well as Tinydhcp forks available on GitHub. The affected ASF version is no longer supported by the vendor.
4. CERT/CC suggests replacing the Tinydhcp service with an alternative that does not have the same issue, as they are currently unaware of a practical solution to the problem.
5. Microchip was recently targeted in a ransomware attack, which caused disruptions and allegedly resulted in the theft of several gigabytes of data.
Please let me know if you need further information or analysis on any specific aspect of the notes.