CVE-2022-46533

Vulnerability

Tenda F1203 router firmware version V2.0.1.6 is affected by a stack-based buffer overflow vulnerability in the formSetClientState function within the httpd module, which handles POST requests to the /goform/SetClientState endpoint. The overflow occurs when a long string is supplied to the limitSpeed parameter. The vulnerability is present in the firmware available from the vendor's download page [1].

Exploitation

An unauthenticated attacker with network access to the router's web interface can send a crafted POST request to /goform/SetClientState with an overly long limitSpeed value (e.g., containing thousands of 'a' characters). No authentication is required because the request succeeds without valid credentials in the provided proof-of-concept; the Cookie header in the PoC contains user=admin but the session may not need to be authenticated for the vulnerable code path to be reached [1].

Impact

Successful exploitation triggers a buffer overflow, leading to a denial of service (DoS) condition, as demonstrated by the proof-of-concept that crashes the httpd process. The impact is limited to availability; remote code execution has not been confirmed in the available references, but buffer overflows in embedded devices often have the potential for arbitrary code execution under certain conditions [1].

Mitigation

As of December 2022, the vendor (Tenda) has not released a patched firmware version for the F1203 V2.0.1.6. Users should monitor the Tenda download page for updates. In the absence of a fix, restricting network access to the router's management interface or disabling remote administration can reduce exposure. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].