Critical flaw reported in Microchip Advanced Software Framework
Take action: This one is going to be very difficult to investigate. First, make sure your IoT infrastructure is isolated from the internet. Then check with vendors whether your devices are using Microchip's Advanced Software Framework. Finally, plan for patching, risk acceptance or replacement of product/firmware. Isolation is the order of the day, then one thing at a time.
Learn More
A critical vulnerability has been discovered in Microchip's Advanced Software Framework (ASF), that could lead to remote code execution.
The flaw, tracked as CVE-2024-7490 (CVSS score of 9.8), is due to a stack-based buffer overflow in the implementation of the tinydhcp server. This vulnerability arises from inadequate input validation in DHCP requests, which allows a specially crafted request to trigger the overflow.
According to the CERT Coordination Center (CERT/CC), this issue affects all versions of ASF up to and including version 3.52.0.2574. The software is no longer supported by Microchip, and it is deeply embedded in IoT-centric systems, potentially leading to widespread exploitation in the wild.
CERT/CC has also noted that forks of the tinydhcp software, often found on GitHub, may be vulnerable as well.
Currently, there are no patches or mitigations available for CVE-2024-7490. The only advised workaround is to replace the vulnerable tinydhcp service with a more secure alternative that does not have this issue.
