Critical flaw reported in Linksys EA7500 routers

A critical vulnerablity has been identified in the Linksys EA7500 routers, affecting all firmware versions up to the latest release, Ver.3.0.1.207964.

The critical flaw, tracked as CVE-2023-46012 (CVSS score 9.8), allows unauthorized remote code execution and originates from the router's handling of HTTP request data via the Internet Gateway Device (IGD) Universal Plug and Play (UPnP) service. Specifically, it involves the processing of a SOAP UPnP Action Request where the system fails to properly validate the length of user-supplied data before it is copied to a fixed-length stack buffer. This oversight occurs within a function called _set_connection_type, which initializes an 184-byte buffer intended to handle a user-supplied string. This string, however, is not adequately checked for length before being copied, leading to a buffer overflow vulnerability.

Here is a simplified breakdown of the vulnerable process:

• The function _set_connection_type initializes a buffer of 184 bytes.
• It retrieves a user-defined value using PAL_xml_node_GetFirstbyName and then PAL_xml_node_get_value.
• The retrieved value's length is not properly validated before it is copied using the strncpy function, which fails to ensure null termination and does not check the destination buffer's size.

This improper handling allows an attacker to craft a malicious HTTP request containing an oversized string variable. Such a request can overflow the buffer, potentially overwriting critical memory areas, including function return addresses. This can allow attackers to redirect program execution to arbitrary addresses, leading to unauthorized code execution with root privileges.

There is no patch available yet. Linksys EA7500 router users are strongly advised to keep an eye on the Linksys support page for firmware updates designed to fix this issue.