CERT/CC Warns of Unpatched Critical Vulnerability in Microchip ASF

CERT

The CERT Coordination Center (CERT/CC) at Carnegie Mellon University has published an advisory for a critical flaw affecting Microchip’s Advanced Software Framework (ASF).

Microchip ASF is a free and open source code library for the company’s microcontrollers. The US-based semiconductor supplier says the product is meant for the evaluation, prototyping, design and production phases.

The security hole, tracked as CVE-2024-7490, was discovered by Andrue Coombes of Amazon Element55. According to CERT/CC, the issue is related to ASF’s implementation of the Tinydhcp server, and it can allow remote code execution using specially crafted DHCP requests.

“An implementation of DHCP in ASF fails input validation, thereby creating conditions for a stack-based overflow,” CERT/CC explained. “Because this vulnerability is in IoT-centric code, it is likely to surface in many places in the wild.”

Also read: Exploring the Cyber Security Risks of Digital Marketing

“This vulnerability can be tested by sending a single DHCP Request packet to a multicast address,” CERT/CC added.

The organization noted that CVE-2024-7490 affects ASF 3.52.0.2574 and all previous versions of the software. Tinydhcp forks available on GitHub could also be impacted.

The affected ASF version is no longer supported by the vendor, which has urged customers to “migrate to a current software solution that is under active maintenance”.

CERT/CC said it’s “currently unaware of a practical solution to this problem other than replacing the Tinydhcp service with another one that does not have the same issue.”

For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.