CVE-2017-8329

Name of the Vulnerable Software and Affected Versions Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096

Description An issue was discovered in the device's handling of wireless network names. The device stores these values in NVRAM and does not perform a string length check on the POST parameters, allowing an attacker to send a large payload in the mssid 1 parameter. This can lead to a stack overflow when the device retrieves the value, enabling an attacker to control the device by executing a payload of their choice. The binary goahead contains the vulnerable function that receives the values sent by the POST request, and the function sub 00420F38 is identified as receiving the values sent in the mssid 1 parameter.

Recommendations For Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096, consider disabling the mssid 1 parameter in the POST request to prevent exploitation until a patch is available. Restrict access to the goahead binary and the sub 00420F38 function to minimize the risk of exploitation. Avoid using the mssid 1 parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.