A critical security vulnerability has been found in TP-Link VN020-F3v(T) routers with firmware version TT_V6.2.1021 Attackers could take over the devices remotely, leading to DoS attacks or even RCE attacks.
The vulnerability, cataloged as CVE-2024-11237, allows attackers to exploit a stack-based buffer overflow by sending specially crafted DHCP DISCOVER packets, which can cause the router to crash and become unresponsive.
With additional confirmed reports of comparable vulnerabilities in versions used by Algerian and Moroccan customers, Tunisie Telecom and Topnet ISPs are primarily responsible for deploying the affected routers.
The firmware in question is proprietary, limiting the availability of internal implementation details. However, through observed behavior and black-box testing, security researchers have been able to identify the vulnerability’s impact.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
Technical Analysis of the Vulnerability
The vulnerability, identified as CVE-2024-11237, is a stack-based buffer overflow (CWE-121) that can be exploited remotely via a DHCP DISCOVER packet.
It affects the DHCP server operating on UDP port 67 and does not require authentication for exploitation. The impact of this vulnerability includes a confirmed Denial of Service (DoS), with the potential for Remote Code Execution (RCE). The attack complexity is low, making it an accessible target for attackers seeking to disrupt or gain control of affected systems.
The vulnerability stems from a flaw in the way the router processes DHCP Hostname and Vendor-Specific options. Specifically, the router fails to handle oversized or malformed inputs properly, leading to buffer overflow conditions.
In particular, attackers can send a specially crafted DHCP DISCOVER packet containing an excessively long hostname or manipulated vendor-specific options, directly triggering the overflow.
Researchers have identified several potential attack vectors and methods for triggering the overflow.
Attackers can exploit vulnerabilities in a router’s DHCP processing through various techniques. One method involves sending a DHCP request with an excessively long hostname, exceeding 127 characters, which can lead to a buffer overflow. This overflow may overwrite critical memory locations, potentially causing the device to crash.
Another technique targets the manipulation of vendor-specific options within the DHCP packet. By carefully crafting these options and creating a mismatch between the claimed and actual length of the option data, attackers can exploit the vulnerability to disrupt the router’s operation.
Additionally, discrepancies between the claimed and actual packet lengths can be exploited, leading to memory corruption and further destabilizing the device. These methods highlight the potential risks of unpatched vulnerabilities in DHCP processing at the PoC.
Potential Memory Corruption
Although the internal firmware code remains inaccessible, the observed symptoms suggest that the router’s memory may become corrupted during an attack, leading to a stack overflow.
Stack Layout (Normal Case)
+------------------------+ Higher addresses
| Previous Frame |
+------------------------+
| Return Address (4) |
+------------------------+
| Saved EBP (4) |
+------------------------+
| |
| Hostname Buffer |
| (64 bytes) |
| |
+------------------------+ Lower addresses
| Other Variables |
+------------------------+This could potentially allow attackers to overwrite the router’s return address and other key memory locations, causing instability or even enabling remote code execution.
Stack Layout (Overflow Case)
+------------------------+ Higher addresses
| Previous Frame |
+------------------------+
| Overwritten Return |
+------------------------+
| Overwritten EBP | <- Unknown state corruption
+------------------------+
| Overflow Data | <- 127 bytes of 'A'
| ... |
+------------------------+ Lower addresses
| Other Variables | <- Potentially corrupted
+------------------------+Exploiting these vulnerabilities can lead to significant consequences for network functionality. Once compromised, the router may become unresponsive, resulting in a complete loss of internet connectivity.
Devices that rely on the router’s DHCP service to obtain IP addresses may fail to connect to the network, further amplifying the disruption.
In many cases, the router attempts to restart automatically after crashing; however, manual intervention may still be necessary to restore functionality.
This can cause prolonged network downtime, especially in environments where multiple devices depend on the router’s DHCP service, leading to widespread user inconvenience.
Mitigation and Recommendations
As of now, TP-Link has not released an official patch to address this vulnerability. In the meantime, users are advised to take the following mitigation measures to reduce the risk of exploitation:
- Disable DHCP Server: If the DHCP service is not required, users can disable it in the router settings to prevent attacks.
- Implement DHCP Traffic Filtering: Network administrators can filter DHCP traffic at the network edge to block malicious packets.
- Consider Alternative Routers: If possible, consider switching to alternative router models that are not affected by this vulnerability.
Simplify and speed up Threat Analysis Workflow by Auto-detonating Cyber Attacks in a Malware sandbox