Critical vulnerabilities in Microchip ASF, MediaTek expose RCE risks

Security teams were warned late last week that two different vulnerabilities in the drivers and libraries that chip manufacturers use to develop products on top of microcontrollers could lead to remote code execution (RCE).

The first vulnerability — CVE-2024-7490 — reported Sept. 19 by the CERT Coordination Center at Carnegie Mellon University, was a critical 9.5 vulnerability in all publicly available examples of the Microchip Advanced Software Framework (ASF) codebase.

Chip designers use the free, open-source code library from Microchip ASF to help them simplify the use of microcontrollers. The ASF gets used for evaluation, prototyping, design and production. 

CERT said the bug lets a specially crafted DHCP request cause a stack-based overflow that could lead to an RCE. Because this vulnerability is in IoT-centric code, CERT added that it’s likely to surface in many places in the wild.

“In addition to the vulnerability allowing remote code execution, the real problem is that ASF is open-source and is in countless products without an easy way for researchers to enumerate a complete list of vulnerable products,” said John Bambenek, president of Bambenek Consulting.

On the other hand, Bambenek said the flaw in DHCP means that security pros have a starting point of where to look. He said teams should have all devices log and monitor their DHCP and system logs to look for crashes. And any DHCP traffic outside of normal DHCP client requests should also be a good start for hunt teams to examine.

“This is a reminder that DHCP is the soft underbelly of most networks and without strong controls of what gets on a network, there are limitless ways to engage in network-based attacks,” said Bambenek.

John Gallagher, vice president of Viakoo Labs, said security teams should take three steps:

First, deploy an IoT-oriented asset and application discovery tool so they have an accurate inventory.  Second, make sure that all IoT/OT devices are on segmented networks of VLANs to prevent lateral movement. Finally, work with procurement to ensure that the device manufacturers are able to provide a patch to remediate the vulnerability.

9.8 flaw found in MediaTek Wi-Fi chipsets

Gallagher added that security teams should also prioritize the second vulnerability found that could cause an RCE — CVE-2024-20017 — a critical 9.8 flaw reported in a Sept. 19 SonicWall Capture Labs blog that affects MediaTek Wi-Fi chipsets.  

SonicWall researchers said the software drivers and libraries are used in chipsets from various manufacturers, including Ubiquiti, Xiaomi, and Netgear. Affected versions include MediaTek SDK versions 7.4.0.1 and earlier, as well as OpenWrt 19.07 and 21.02.

“These vulnerabilities are similar in the sense that both of them have the issue that many device manufacturers use these chipsets and each of the manufacturers have to develop their own patches and distribute them to customers,” said Gallagher. “This is a slow process, and once the patch is delivered it will require the end user to update their devices, which not all teams are used to doing, leading to a long time before remediation takes place.” 

On the plus side, MediaTek released a patch for the vulnerability in March 2024, although the SonicWall researchers said the likelihood of exploitation has jumped with the public availability of a proof-of-concept (PoC) exploit as of Aug. 30 of this year.