Login Sign Up

CVE-2022-24164

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability is a stack overflow in Tenda G1 and G3 routers that allows attackers to cause Denial of Service (DoS) by sending specially crafted requests to the DnsHijackRule parameter. Attackers can crash the router's web interface service, disrupting network connectivity. Only users of specific Tenda router models with vulnerable firmware versions are affected.

💻 Affected Systems

Products:
  • Tenda G1 Router
  • Tenda G3 Router
Versions: v15.11.0.17(9502)_CN
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Chinese firmware version. Other regional firmware versions may not be vulnerable.

📦 What is this software?

G1 Firmware by Tendacn

View all CVEs affecting G1 Firmware →

G3 Firmware by Tendacn

View all CVEs affecting G3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Router becomes completely unresponsive, requiring physical power cycle and potentially bricking the device if memory corruption leads to permanent damage.

🟠

Likely Case

Router web interface service crashes, disrupting administrative access and potentially affecting DNS functionality until service restart.

🟢

If Mitigated

If router is behind firewall with restricted WAN access, impact is limited to internal network attackers only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires network access to router's web interface port (typically 80/443). The GitHub reference contains proof-of-concept code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

Check Tenda website for firmware updates. If available, download latest firmware and upload via router web interface under System Tools > Firmware Upgrade.

🔧 Temporary Workarounds

Restrict Web Interface Access

linux

Block external access to router web interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Change Default Ports

all

Change router web interface to non-standard ports if supported

🧯 If You Can't Patch

  • Replace vulnerable routers with different models or brands
  • Place routers behind dedicated firewall with strict ingress filtering

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface under System Status > Firmware Version

Check Version:

curl -s http://router-ip/ | grep -i firmware

Verify Fix Applied:

Verify firmware version is newer than v15.11.0.17(9502)_CN

📡 Detection & Monitoring

Log Indicators:

  • Web interface service crashes
  • Unusual POST requests to formSetVirtualSer endpoint
  • Large DnsHijackRule parameter values in logs

Network Indicators:

  • Multiple POST requests to router port 80/443 with oversized parameters
  • Sudden loss of router web interface responsiveness

SIEM Query:

source="router.log" AND ("formSetVirtualSer" OR "DnsHijackRule") AND bytes > 1000

📊 Metadata

CVE ID: CVE-2022-24164
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
Published: February 4, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24164, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)