CVE-2022-24172 – CVE-2022-24172 is a stack overflow vulnerabilit... (How to Fix)

📋 TL;DR

CVE-2022-24172 is a stack overflow vulnerability in Tenda G1 and G3 routers that allows attackers to cause a Denial of Service (DoS) by sending specially crafted requests to the formAddDhcpBindRule function. This affects users of Tenda G1 and G3 routers running vulnerable firmware versions. The vulnerability can be exploited remotely without authentication.

💻 Affected Systems

Products:

Tenda G1 router
Tenda G3 router

Versions: v15.11.0.17(9502)_CN

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Chinese firmware version. Other regional versions may not be vulnerable.

📦 What is this software?

G1 Firmware by Tendacn

View all CVEs affecting G1 Firmware →

G3 Firmware by Tendacn

View all CVEs affecting G3 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router crash requiring physical reboot, potentially disrupting all network connectivity for affected devices.

🟠

Likely Case

Router becomes unresponsive, requiring manual reboot to restore functionality.

🟢

If Mitigated

Limited impact if routers are behind firewalls with restricted WAN access.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices and the exploit requires no authentication.

🏢 Internal Only: MEDIUM - Could be exploited by malicious internal actors or malware on the local network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub repository. Exploitation requires sending crafted HTTP request to router's web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: Yes

Instructions:

1. Check Tenda website for firmware updates
2. If update available, download and flash via router web interface
3. Reboot router after update
4. Verify firmware version is no longer vulnerable

🔧 Temporary Workarounds

Restrict WAN Access

all

Block external access to router administration interface

Configure firewall to block incoming connections to router IP on ports 80/443

Disable Remote Management

all

Turn off remote administration feature in router settings

Login to router admin panel → System → Remote Management → Disable

🧯 If You Can't Patch

Replace affected routers with different models or brands
Place routers behind additional firewall with strict ingress filtering

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is v15.11.0.17(9502)_CN, device is vulnerable.

Check Version:

Login to router web interface and check System Status or Firmware Update section

Verify Fix Applied:

Verify firmware version has changed from v15.11.0.17(9502)_CN to a newer version.

📡 Detection & Monitoring

Log Indicators:

Multiple failed HTTP requests to /goform/AddDhcpRules endpoint
Router crash/reboot logs
Unusual traffic patterns to router administration interface

Network Indicators:

HTTP POST requests to /goform/AddDhcpRules with malformed parameters
Sudden loss of connectivity to router

SIEM Query:

source="router.log" AND (uri="/goform/AddDhcpRules" OR message="crash" OR message="reboot")

📊 Metadata

CVE ID: CVE-2022-24172

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: February 4, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/pjqwudi/my_vuln/blob/main/Tenda/vuln_43/43.md Exploit,Third Party Advisory
https://github.com/pjqwudi/my_vuln/blob/main/Tenda/vuln_43/43.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24172, you might also want to check these: