A critical buffer overflow vulnerability has been identified in multiple Tenda networking products. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted web request, which could cause the device to crash or potentially allow the attacker to take complete control. This presents a severe risk of network disruption, data interception, and further intrusions into the connected network.

This is a buffer overflow vulnerability located in the fromAdvSetMacMtuWan function within the device's httpd web server binary. An unauthenticated remote attacker can trigger this vulnerability by sending a specifically crafted POST request to the /goform/AdvSetMacMtuWan endpoint. The function does not properly validate the length of the user-supplied input for the serviceName field. By providing an overly long string in this field, an attacker can overwrite adjacent memory on the stack, leading to a crash (Denial of Service) or, with a carefully constructed payload, arbitrary code execution with the privileges of the web server process.

This vulnerability is rated as critical with a CVSS score of 9.8, reflecting the high potential for significant damage. Successful exploitation could grant an attacker complete control over the affected network device. This could lead to severe business consequences, including the interception of sensitive network traffic, redirection of users to malicious websites, modification of network configurations, and using the compromised device as a pivot point to attack other systems on the internal network. The most immediate impact is the potential for a Denial of Service, which would disrupt all internet and network connectivity for users relying on the device.

Immediate Action: Update the firmware on all affected Tenda devices to the latest version provided by the vendor. After applying the update, monitor for any further exploitation attempts and review web access logs for indicators of compromise preceding the patch.

Proactive Monitoring:

• Network Traffic: Monitor for an unusual volume of POST requests to the /goform/AdvSetMacMtuWan URI.
• Log Analysis: Review web server logs for requests to this endpoint, specifically looking for entries with abnormally long values for the serviceName parameter or requests that resulted in server errors or crashes.
• System Behavior: Monitor affected devices for unexpected reboots, instability, or crashes of the httpd service.

Compensating Controls:

• Restrict access to the device's web administration interface from the WAN (internet). This is a critical security best practice that mitigates this and many other remote vulnerabilities.
• If available, deploy an Intrusion Prevention System (IPS) or Web Application Firewall (WAF) with rules to detect and block requests containing an anomalously long serviceName parameter sent to the vulnerable endpoint.
• Ensure the device is on a segmented network to limit the potential impact should a compromise occur.

Public Exploit Available: false

This vulnerability represents a critical risk to the organization due to its high severity and potential for remote code execution. Immediate patching of all affected Tenda devices should be considered the highest priority. While this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its critical CVSS score warrants urgent attention. Organizations should apply the vendor-supplied firmware updates without delay and implement the recommended monitoring and compensating controls to mitigate risk.