In a recent development, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University issued a warning regarding a security flaw found in the Microchip Advanced Software Framework (ASF). This vulnerability, identified as CVE-2024-7490, is associated with a stack-based overflow issue within the tinydhcp server implementation in ASF. As a result, the vulnerability could potentially enable attackers to execute remote code, sparking concerns among developers and users of Microchip technology.
The Microchip vulnerability arises from a lack of proper input validation in the DHCP implementation of the ASF. When a specifically crafted DHCP request is transmitted, it paves the way for a stack-based overflow, creating an opportunity for remote code execution. The CERT/CC flagged this issue as particularly alarming due to its presence in IoT-centric code, which is widespread in devices and applications worldwide.
The simplicity in exploiting this vulnerability is highlighted by the CERT/CC’s statement that it can be tested by sending a single DHCP Request packet to a multicast address. This ease of exploitation raises significant concerns, indicating that malicious actors could potentially leverage this flaw with relative ease.
ASF versions 3.52.0.2574 and all prior iterations are deemed vulnerable to this security flaw. Additionally, developers using forks of the tinydhcp server hosted on platforms like GitHub may also find their projects at risk due to this Microchip vulnerability.
The Microchip Advanced Software Framework serves as a free and open-source code library designed for microcontrollers, aiding in various stages of the product lifecycle. However, the software is no longer actively supported by Microchip, posing challenges for users relying on outdated versions that may contain this vulnerability.
The discovery of the flaw by Andrue Coombes from Amazon Element55 led to the CERT/CC’s advisory. Given the prevalence of this vulnerability in IoT applications, it could manifest in multiple instances across the internet, potentially impacting numerous devices utilizing Microchip technology.
The security implications of CVE-2024-7490 are substantial, as it provides attackers with the capability for remote code execution, allowing them to manipulate systems, deploy malware, or inflict other significant damages. This is particularly concerning in the context of the growing number of IoT devices that could be running on vulnerable ASF versions.
The recent ransomware attack on Microchip further underscores the importance of robust cybersecurity measures, especially for organizations using outdated or unsupported software like the Microchip Advanced Software Framework. Users of ASF are strongly advised to take action, with CERT/CC recommending migration to a currently supported software solution as the most prudent course of action.
“The vendor has urged customers to migrate to a current software solution that is under active maintenance,” stated CERT/CC. Unfortunately, there is no immediate fix available for the identified vulnerability in Microchip’s technology, except for replacing the tinydhcp service with an alternative that does not have the same vulnerability.
In conclusion, the security flaw in the Microchip Advanced Software Framework poses a significant risk to users and developers alike, necessitating proactive measures to address and mitigate the potential threats associated with this vulnerability.