A critical vulnerability in the Microchip Advanced Software Framework (ASF) has been uncovered, potentially allowing remote code execution (RCE) via a stack-based overflow in the tinydhcp server. The flaw, identified as CVE-2024-7490, carries a high CVSS score of 9.5 and stems from insufficient input validation. Exploiting the vulnerability requires sending a specially crafted DHCP request, leading to a stack overflow. CERT/CC has warned that the vulnerability is prevalent in IoT-focused code and may surface in various devices since the affected software is no longer supported.
ASF version 3.52.0.2574 and earlier are impacted, and the flaw is likely present in multiple forks of tinydhcp. No fixes or mitigations are available, except for replacing the vulnerable service.
This disclosure follows another significant issue reported by SonicWall Capture Labs: a zero-click vulnerability (CVE-2024-20017, CVSS 9.8) affecting MediaTek Wi-Fi chipsets. This flaw, caused by an out-of-bounds write, could enable RCE without user interaction. MediaTek released a patch in March 2024, but the risk of exploitation has grown following the release of a proof-of-concept (PoC) exploit in August 2024.