CVE-2020-14107 – This vulnerability is a stack overflow in the H... (How to Fix)

Q: What is the severity of CVE-2020-14107?

CVE-2020-14107 has a CVSS score of 7.5 (HIGH). This vulnerability is a stack overflow in the HTTP server of Cast that can be exploited via LAN to cause application crashes. It affects Cast devices and applications that use the vulnerable HTTP server component. Attackers on the same local network can trigger denial of service conditions.

📋 TL;DR

This vulnerability is a stack overflow in the HTTP server of Cast that can be exploited via LAN to cause application crashes. It affects Cast devices and applications that use the vulnerable HTTP server component. Attackers on the same local network can trigger denial of service conditions.

💻 Affected Systems

Products:

Cast devices and applications using the vulnerable HTTP server

Versions: Specific versions not detailed in provided references, but likely multiple versions prior to patch

Operating Systems: Android-based Cast OS, Embedded Linux systems running Cast

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Cast devices in default configurations when HTTP server is enabled

📦 What is this software?

Xiaomi Mirror Screen by Mi

View all CVEs affecting Xiaomi Mirror Screen →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, though this is not confirmed in available advisories.

🟠

Likely Case

Denial of service causing application crashes and service disruption on affected Cast devices.

🟢

If Mitigated

Limited to denial of service with proper network segmentation and access controls.

🌐 Internet-Facing: LOW (requires LAN access, not directly internet exploitable)

🏢 Internal Only: HIGH (exploitable by any device on the same local network)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Stack overflow vulnerabilities typically require minimal exploitation complexity when triggered via network requests

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in provided references, check vendor advisory for specific patched versions

Vendor Advisory: https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=92

Restart Required: Yes

Instructions:

1. Check for firmware updates for your Cast device
2. Apply the latest available firmware update
3. Restart the device after update completion

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Cast devices on separate VLANs or network segments to limit attack surface

Disable Unnecessary Services

all

Disable HTTP server if not required for device functionality

🧯 If You Can't Patch

Segment Cast devices on isolated network segments
Implement network access controls to restrict LAN access to Cast devices

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against vendor's patched version list

Check Version:

Check device settings or use manufacturer's device management interface

Verify Fix Applied:

Verify firmware version matches or exceeds patched version from vendor advisory

📡 Detection & Monitoring

Log Indicators:

HTTP server crash logs
Unusual HTTP request patterns to Cast devices
Memory corruption error messages

Network Indicators:

Unusual HTTP traffic to Cast device ports
Multiple malformed HTTP requests from single source

SIEM Query:

source_ip="*" AND dest_ip="cast_device_ip" AND (http_request CONTAINS "malformed" OR http_status="500")

📊 Metadata

CVE ID: CVE-2020-14107

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: January 18, 2022

Last Updated: November 21, 2024

🔗 References

https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=92 Vendor Advisory
https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=92 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-14107, you might also want to check these: