CVE-2024-12002

Name of the Vulnerable Software and Affected Versions: Tenda FH451 versions up to 20241129 Tenda FH1201 versions up to 20241129 Tenda FH1202 versions up to 20241129 Tenda FH1206 versions up to 20241129

Description: The issue is related to a null pointer dereference error in the websReadEvent() function of the affected Tenda router models. This can be exploited by sending specially crafted packets, potentially allowing a remote attacker to cause a denial of service. The manipulation of the Content-Length argument leads to this null pointer dereference. The attack can be launched remotely.

Recommendations: For Tenda FH451 versions up to 20241129, update the firmware immediately and restrict remote access to the /goform/GetIPTV endpoint. For Tenda FH1201 versions up to 20241129, update the firmware immediately and restrict remote access to the /goform/GetIPTV endpoint. For Tenda FH1202 versions up to 20241129, update the firmware immediately and restrict remote access to the /goform/GetIPTV endpoint. For Tenda FH1206 versions up to 20241129, update the firmware immediately and restrict remote access to the /goform/GetIPTV endpoint. As a temporary workaround, consider disabling the websReadEvent() function until a patch is available. Restrict access to the /goform/GetIPTV endpoint to minimize the risk of exploitation. Avoid using the Content-Length argument in the affected API endpoint until the issue is resolved.