CVE-2020-13390

Name of the Vulnerable Software and Affected Versions Tenda AC6 version 1.0 V15.03.05.19 multi TD01 Tenda AC9 version 1.0 V15.03.05.19(6318) CN Tenda AC9 version 3.0 V15.03.06.42 multi Tenda AC15 version 1.0 V15.03.05.19 multi TD01 Tenda AC18 version 15.03.05.19(6318) CN

Description A buffer overflow issue exists in the router's web server, specifically in the httpd service. This occurs when processing the "mitInterface" parameter and "/goform/addressNat" entries for a POST request. The vulnerability allows an attacker to construct a payload that can lead to arbitrary code execution attacks by overwriting the return address of a function.

Recommendations For Tenda AC6 version 1.0 V15.03.05.19 multi TD01, consider disabling the httpd service until a patch is available. For Tenda AC9 version 1.0 V15.03.05.19(6318) CN, restrict access to the "/goform/addressNat" endpoint to minimize the risk of exploitation. For Tenda AC9 version 3.0 V15.03.06.42 multi, avoid using the mitInterface parameter in the affected API endpoint until the issue is resolved. For Tenda AC15 version 1.0 V15.03.05.19 multi TD01, restrict access to the vulnerable httpd service to minimize the risk of exploitation. For Tenda AC18 version 15.03.05.19(6318) CN, consider disabling the httpd service until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.