September 23, 2024 at 06:49AM
A critical vulnerability (CVE-2024-7490) in Microchip Advanced Software Framework (ASF) could lead to remote code execution, impacting ASF 3.52.0.2574 and earlier versions. No fixes or mitigations are available, except replacing the tinydhcp service. Additionally, SonicWall detailed a severe zero-click vulnerability (CVE-2024-20017) in MediaTek Wi-Fi chipsets, with a patch released in March 2024.
Key takeaways from the meeting notes:
– A critical security flaw (CVE-2024-7490) has been disclosed in the Microchip Advanced Software Framework (ASF), leading to a remote code execution possibility with a CVSS score of 9.5.
– The vulnerability is described as a stack-based overflow in ASF’s implementation of the tinydhcp server due to inadequate input validation.
– The software is no longer supported and is rooted in IoT-centric code, posing a high risk of surfacing in many environments.
– ASF versions 3.52.0.2574 and all prior versions are affected by this flaw, along with multiple forks of tinydhcp software.
– No current fixes or mitigations are available, leaving the only immediate solution as replacing the tinydhcp service with an alternative.
– An additional vulnerability affecting MediaTek Wi-Fi chipsets (CVE-2024-20017, CVSS 9.8) has been detailed by SonicWall Capture Labs, potentially enabling remote code execution without user interaction.
– The affected versions include MediaTek SDK versions 7.4.0.1 and earlier, as well as OpenWrt 19.07 and 21.02. A patch was released in March 2024, but the availability of a proof-of-concept (PoC) exploit has increased the likelihood of exploitation.
For further security-related content and updates, it’s recommended to follow the source on Twitter and LinkedIn.