CVE-2023-38936 – This CVE describes a stack overflow vulnerabili... (How to Fix)

Q: What is the severity of CVE-2023-38936?

CVE-2023-38936 has a CVSS score of 9.8 (CRITICAL). This CVE describes a stack overflow vulnerability in multiple Tenda router models via the speed_dir parameter in the formSetSpeedWan function. Attackers can exploit this to execute arbitrary code or cause denial of service. Users of affected Tenda router models with specified firmware versions are vulnerable.

📋 TL;DR

This CVE describes a stack overflow vulnerability in multiple Tenda router models via the speed_dir parameter in the formSetSpeedWan function. Attackers can exploit this to execute arbitrary code or cause denial of service. Users of affected Tenda router models with specified firmware versions are vulnerable.

💻 Affected Systems

Products:

Tenda AC10
Tenda AC1206
Tenda AC6
Tenda AC7
Tenda AC5
Tenda FH1203
Tenda AC9
Tenda FH1205

Versions: V15.03.06.23, V15.03.06.44, V15.03.06.28, V2.0.1.6, V15.03.06.42_multi, V2.0.0.7(775)

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected models with specified firmware versions are vulnerable in default configurations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, attacker persistence, and lateral movement into internal networks.

🟠

Likely Case

Router crash causing denial of service, requiring physical reset to restore functionality.

🟢

If Mitigated

Limited impact if routers are behind firewalls with strict inbound filtering and not internet-facing.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and the vulnerability is remotely exploitable.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they have network access to the router's management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exists in GitHub repositories, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: Yes

Instructions:

Check Tenda website for firmware updates. If available, download and flash via router web interface. Factory reset recommended after update.

🔧 Temporary Workarounds

Disable WAN management access

all

Prevent external access to router management interface

Login to router admin panel → Advanced Settings → Remote Management → Disable

Change default credentials

all

Use strong unique passwords for router admin access

Login to router admin panel → System Tools → Modify Login Password

🧯 If You Can't Patch

Replace affected routers with patched or different vendor models
Place routers behind dedicated firewalls with strict inbound filtering rules

🔍 How to Verify

Check if Vulnerable:

Check router model and firmware version in admin interface under System Status or About page.

Check Version:

curl -s http://router-ip/ | grep -i firmware || Check router web interface

Verify Fix Applied:

Verify firmware version is updated beyond vulnerable versions listed in affected_systems.

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /goform/setSpeedWan
Router crash/reboot logs
Unusual outbound connections from router

Network Indicators:

Exploit traffic patterns to router management interface
Sudden loss of router connectivity

SIEM Query:

source="router_logs" AND (uri="/goform/setSpeedWan" OR "speed_dir" in request_body)

📊 Metadata

CVE ID: CVE-2023-38936

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: August 7, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/FirmRec/IoT-Vulns/blob/main/tenda/formSetSpeedWan/README.md Exploit,Vendor Advisory
https://github.com/FirmRec/IoT-Vulns/blob/main/tenda/formSetSpeedWan/README.md Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38936, you might also want to check these: