VU#138043: A stack-based overflow vulnerability exists in the Microchip Advanced Software Framework (ASF) implementation of the tinydhcp server
A stack-based overflow vulnerability (CVE-2024-7490) exists in the tinydhcp server within the Microchip Advanced Software Framework (ASF), potentially allowing remote code execution. The vulnerability arises due to insufficient input validation in the DHCP implementation. Since ASF is commonly used in IoT devices, this issue is likely to affect numerous systems. A single crafted DHCP Request packet sent to a multicast address can trigger the overflow. The current ASF version 3.52.0.2574 and earlier versions are affected. Multiple forks of tinydhcp software on GitHub may also be susceptible. Currently, there is no known practical solution other than replacing tinydhcp with an alternative service. The vulnerability was reported by Andrue Coombes of Amazon Element55.