CVE-2020-13389

Name of the Vulnerable Software and Affected Versions Tenda AC6 version 1.0 V15.03.05.19 multi TD01 Tenda AC9 version 1.0 V15.03.05.19(6318) CN Tenda AC9 version 3.0 V15.03.06.42 multi Tenda AC15 version 1.0 V15.03.05.19 multi TD01 Tenda AC18 version 15.03.05.19(6318) CN

Description A buffer overflow issue exists in the router's web server, httpd. The vulnerability occurs when processing the schedStartTime and schedEndTime parameters for a POST request to the "/goform/openSchedWifi" API endpoint. An attacker can exploit this by constructing a payload that allows for arbitrary code execution attacks.

Recommendations For Tenda AC6 version 1.0 V15.03.05.19 multi TD01, consider disabling the httpd service until a patch is available. For Tenda AC9 version 1.0 V15.03.05.19(6318) CN, restrict access to the "/goform/openSchedWifi" API endpoint to minimize the risk of exploitation. For Tenda AC9 version 3.0 V15.03.06.42 multi, avoid using the schedStartTime and schedEndTime parameters in the affected API endpoint until the issue is resolved. For Tenda AC15 version 1.0 V15.03.05.19 multi TD01, consider temporarily disabling the vulnerable httpd service. For Tenda AC18 version 15.03.05.19(6318) CN, restrict access to the vulnerable module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.