Critical Flaw in Microchip ASF Exposes IoT Devices to Remote Code Execution Risk

A critical security flaw has been identified in the Microchip Advanced Software Framework (ASF), potentially leading to remote code execution if exploited.

This vulnerability, known as CVE-2024-7490, has a CVSS score of 9.5 out of 10. It is a stack-based overflow issue in ASF’s tinydhcp server, caused by insufficient input validation.

CERT Coordination Center (CERT/CC) has issued an advisory stating that all publicly available examples of the ASF codebase are vulnerable to a specially crafted DHCP request, which can trigger a stack-based overflow and enable remote code execution.

Given that ASF is no longer supported and is widely used in IoT devices, CERT/CC warns that this vulnerability is likely to be found in many places. The flaw affects ASF version 3.52.0.2574 and all earlier versions, and multiple forks of the tinydhcp software may also be vulnerable.

Currently, there are no fixes or mitigations for CVE-2024-7490, except for replacing the tinydhcp service with a different one that does not have this issue.