CVE-2024-4165

Name of the Vulnerable Software and Affected Versions: Tenda G3 version 15.11.0.17(9502)

Description: A critical issue was found in the modifyDhcpRule function of the /goform/modifyDhcpRule file, which is related to a stack-based buffer overflow. The manipulation of the bindDhcpIndex argument can lead to this issue. It is possible to launch the attack remotely by sending specially crafted POST requests, potentially allowing an attacker to execute arbitrary code. The exploit has been disclosed to the public and may be used.

Recommendations: For Tenda G3 version 15.11.0.17(9502), as a temporary workaround, consider disabling the modifyDhcpRule function until a patch is available. Restrict access to the /goform/modifyDhcpRule file to minimize the risk of exploitation. Avoid using the bindDhcpIndex argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.