A critical security vulnerability has been discovered in the Microchip Advanced Software Framework (ASF), which could allow remote code execution. Tracked as CVE-2024-7490, this flaw affects versions of ASF 3.52.0.2574 and earlier, as well as multiple forks of the tinydhcp software. The vulnerability is a stack-based overflow caused by insufficient input validation in ASF’s tinydhcp server, enabling a specially crafted DHCP request to trigger the overflow and potentially execute malicious code. The flaw carries a CVSS score of 9.5, indicating its high severity.
As ASF is no longer supported, CERT/CC has warned that this vulnerability is likely to be found in many IoT devices in the wild, especially given the software’s widespread use in embedded systems. The flaw remains unpatched, and there are currently no direct mitigations other than replacing the vulnerable tinydhcp service with an alternative that doesn’t share the same flaw. This makes the vulnerability particularly concerning for industries still using outdated versions of ASF or similar vulnerable software.
In addition to the ASF vulnerability, a separate but equally serious issue has been identified in MediaTek Wi-Fi chipsets. This zero-click vulnerability, identified as CVE-2024-20017, can lead to remote code execution without requiring user interaction. The flaw, caused by an out-of-bounds write due to improper bounds checking, affects a variety of devices, including routers and smartphones that use MediaTek SDK versions 7.4.0.1 and earlier. The buffer overflow allows attackers to write data outside the intended memory bounds, leading to potential system compromises.
Although MediaTek released a patch for this vulnerability in March 2024, the risk of exploitation has been heightened by the availability of a proof-of-concept exploit, which was made public in August 2024. The combination of these vulnerabilities—one in the Microchip ASF and the other in MediaTek chipsets—highlights the growing risks in embedded systems and IoT devices. As both issues allow for remote code execution, they present significant threats to users and organizations that have not yet applied the necessary security patches.
Reference:
