The CERT Coordination Center (CERT/CC) at Carnegie Mellon University has issued a critical warning regarding a security flaw in the Microchip Advanced Software Framework (ASF). This vulnerability, tracked as CVE-2024-7490, is a stack-based overflow issue linked to the tinydhcp server implementation within ASF, potentially allowing attackers to execute remote code.
The flaw arises from inadequate input validation in the DHCP implementation of ASF. A specially crafted DHCP request can trigger a stack-based overflow, raising alarms for developers and users of Microchip's technology. CERT/CC highlighted the issue's severity, noting its presence in IoT-centric code used in numerous devices globally.
Exploitation of this vulnerability is alarmingly simple; attackers can send a single DHCP Request packet to a multicast address, making it accessible for malicious actors. Affected versions include ASF 3.52.0.2574 and all earlier iterations, with additional risks for developers using forks of the tinydhcp server hosted on platforms like GitHub.
The Microchip Advanced Software Framework is a free and open-source library designed for microcontrollers, utilized throughout various stages of product life cycles. However, the software is no longer actively supported by Microchip, complicating the situation for users relying on outdated versions.
Discovered by Andrue Coombes from Amazon Element55, the flaw's prevalence in IoT applications suggests it could affect countless devices utilizing Microchip technology. The security risk posed by CVE-2024-7490 is significant, as attackers could exploit this vulnerability to manipulate systems, deploy malware, or inflict substantial damage.
Given Microchip's recent history of a ransomware attack that compromised significant data assets, the urgency for improved cybersecurity measures is heightened, especially for firms using outdated or unsupported software.
Users of the Microchip ASF are strongly advised to take immediate action. The CERT/CC recommends migrating to a currently supported software solution, as no immediate fix is available for the identified vulnerability other than replacing the tinydhcp service with an alternative that does not share the same flaw.