CVE-2022-46545

Vulnerability

A buffer overflow vulnerability exists in the fromNatStaticSetting function of Tenda F1203 router firmware version V2.0.1.6. The vulnerability is triggered via the page parameter in the /goform/NatStaticSetting endpoint. When a crafted HTTP POST request with an excessively long page value is processed, a buffer overflow occurs in the httpd module [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request to the /goform/NatStaticSetting endpoint with an overly long page parameter. The reference provides a proof-of-concept (POC) that demonstrates the attack, which does not require authentication beyond a default admin cookie [1]. The attacker must have network access to the router's web interface.

Impact

Successful exploitation results in a denial of service (DoS) condition, causing the router to crash or reboot. The POC confirms that the overflow leads to a DoS [1]. No other impacts such as code execution or information disclosure are documented in the available references.

Mitigation

As of the publication date, no official patch or firmware update has been released by Tenda to address this vulnerability. Users are advised to monitor the vendor's download page for future updates or consider replacing the device if it reaches end-of-life. No workaround is provided in the references [1].