CVE-2022-46532

Vulnerability

A buffer overflow vulnerability exists in Tenda F1203 router firmware version V2.0.1.6 within the httpd module when processing the deviceMac parameter in the /goform/addWifiMacFilter endpoint. The flaw is triggered when an attacker submits a POST request containing an excessively long deviceMac value, as demonstrated in the included proof-of-concept [1]. No prior authentication is required to reach the vulnerable code path.

Exploitation

An attacker with network access to the router's web interface can send a crafted POST request to /goform/addWifiMacFilter with a deviceMac parameter set to a string longer than the expected buffer size. The reference provides a fully functional proof-of-concept that causes a denial of service [1]. No special privileges or user interaction are needed.

Impact

Successful exploitation results in a buffer overflow that crashes the httpd process, leading to denial of service of the router's web management interface. The device must be manually rebooted to restore functionality. The reference does not demonstrate code execution, so the primary impact is service disruption [1].

Mitigation

As of the publication date, no firmware update or official patch has been released by Tenda to address this vulnerability. Users may consider restricting network access to the router's web interface or replacing the device if it is no longer supported. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.