CVE-2022-46537

Vulnerability

A buffer overflow vulnerability exists in the httpd module of Tenda F1203 router firmware version V2.0.1.6. The flaw is triggered when processing a crafted HTTP POST request to the /goform/WifiBasicSet endpoint, specifically via an overly long security parameter. The affected firmware is available from Tenda's official download page [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request to the vulnerable endpoint. The provided proof-of-concept (PoC) demonstrates sending a request with a security parameter containing approximately 4000 'a' characters. No authentication is explicitly required in the PoC, though the example includes a cookie with user=admin; the vulnerability may be reachable without prior authentication [1].

Impact

Successful exploitation causes a denial of service (DoS) condition, likely crashing the httpd process and rendering the router's web interface unavailable. The reference notes that the PoC results in a DoS; no remote code execution or data exfiltration is described [1].

Mitigation

As of the publication date (2022-12-20), no patched firmware version has been released by Tenda. Users are advised to monitor Tenda's support page for updates. If the device is no longer supported, replacement with a supported model is recommended. No workarounds are documented [1].