The CERT Coordination Center (CERT/CC) at Carnegie Mellon University has published an advisory for a critical flaw affecting Microchip’s Advanced Software Framework (ASF).
Microchip ASF is a free and open source code library for the company’s microcontrollers. The US-based semiconductor supplier says the product is meant for the evaluation, prototyping, design and production phases.
The security hole, tracked as CVE-2024-7490, was discovered by Andrue Coombes of Amazon Element55. According to CERT/CC, the issue is related to ASF’s implementation of the Tinydhcp server, and it can allow remote code execution using specially crafted DHCP requests.
“An implementation of DHCP in ASF fails input validation, thereby creating conditions for a stack-based overflow,” CERT/CC explained. “Because this vulnerability is in IoT-centric code, it is likely to surface in many places in the wild.”
“This vulnerability can be tested by sending a single DHCP Request packet to a multicast address,” CERT/CC added.
The organization noted that CVE-2024-7490 affects ASF 3.52.0.2574 and all previous versions of the software. Tinydhcp forks available on GitHub could also be impacted.
The affected ASF version is no longer supported by the vendor, which has urged customers to “migrate to a current software solution that is under active maintenance”.
CERT/CC said it’s “currently unaware of a practical solution to this problem other than replacing the Tinydhcp service with another one that does not have the same issue.”
Microchip was recently targeted in a ransomware attack that caused disruptions and allegedly resulted in the theft of several gigabytes of data.
Related: Cyberattack Disrupts Microchip Technology Manufacturing Facilities
Related: Cisco Patches Multiple NX-OS Software Vulnerabilities
Related: Atlassian Patches Vulnerabilities in Bamboo, Bitbucket, Confluence, Crowd