CVE-2024-4244

Name of the Vulnerable Software and Affected Versions: Tenda W9 version 1.0.0.7(4456)

Description: The issue is related to a stack-based buffer overflow in the fromDhcpSetSer function of the /goform/DhcpSetSer file. This can be exploited by sending specially crafted POST requests, potentially allowing a remote attacker to execute arbitrary code. The manipulation of arguments such as dhcpStartIp, dhcpEndIp, dhcpGw, dhcpMask, dhcpLeaseTime, dhcpDns1, and dhcpDns2 leads to this buffer overflow. The attack can be launched remotely.

Recommendations: As a temporary workaround, consider disabling the fromDhcpSetSer function until a patch is available. Restrict access to the /goform/DhcpSetSer file to minimize the risk of exploitation. Avoid using the parameters dhcpStartIp, dhcpEndIp, dhcpGw, dhcpMask, dhcpLeaseTime, dhcpDns1, and dhcpDns2 in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.