CVE-2024-2985 – A critical stack-based buffer overflow vulnerab... (How to Fix)

Q: What is the severity of CVE-2024-2985?

CVE-2024-2985 has a CVSS score of 8.8 (HIGH). A critical stack-based buffer overflow vulnerability in Tenda FH1202 routers allows remote attackers to execute arbitrary code by manipulating the PPPOEPassword parameter. This affects Tenda FH1202 firmware version 1.2.0.14(408) and potentially other versions. Attackers can exploit this without authentication to potentially take full control of affected devices.

📋 TL;DR

A critical stack-based buffer overflow vulnerability in Tenda FH1202 routers allows remote attackers to execute arbitrary code by manipulating the PPPOEPassword parameter. This affects Tenda FH1202 firmware version 1.2.0.14(408) and potentially other versions. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:

Tenda FH1202

Versions: 1.2.0.14(408) - other versions may be affected but not confirmed

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface component. Devices with default configurations that expose the management interface are vulnerable.

📦 What is this software?

Fh1202 Firmware by Tenda

View all CVEs affecting Fh1202 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, creation of persistent backdoors, lateral movement to internal networks, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attackers to modify device configuration, intercept network traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Denial of service if exploit fails or is detected, or limited impact if device is isolated with proper network segmentation.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects internet-facing routers with web management interfaces exposed.

🏢 Internal Only: MEDIUM - Internal devices could still be exploited by attackers who have gained initial network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. The vulnerability requires sending a specially crafted HTTP request to the /goform/QuickIndex endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available - vendor did not respond to disclosure

Restart Required: Yes

Instructions:

No official patch available. Monitor Tenda website for firmware updates. If update becomes available: 1. Download firmware from official Tenda site 2. Access router admin interface 3. Navigate to firmware upgrade section 4. Upload and apply new firmware 5. Reboot router

🔧 Temporary Workarounds

Disable WAN access to management interface

all

Prevent external access to the vulnerable web interface

Access router admin panel -> Security/Firewall settings -> Disable remote management/remote access

Change default credentials

all

Mitigate risk if authentication is required (though exploit is unauthenticated)

Access router admin panel -> System/Administration -> Change admin password

🧯 If You Can't Patch

Isolate affected devices in a separate VLAN with strict firewall rules
Implement network-based intrusion prevention (IPS) to block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 1.2.0.14(408), device is vulnerable. Also check if /goform/QuickIndex endpoint is accessible.

Check Version:

curl -s http://router-ip/ | grep -i firmware || Access router web interface and check System/Status page

Verify Fix Applied:

Verify firmware version has changed from 1.2.0.14(408). Test if buffer overflow payloads to PPPOEPassword parameter no longer cause crashes.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /goform/QuickIndex with long PPPOEPassword parameters
Router crash/reboot logs
Unusual process creation in router logs

Network Indicators:

HTTP POST requests to router IP on port 80/443 with oversized PPPOEPassword parameter
Unusual outbound connections from router after exploitation

SIEM Query:

source="router_logs" AND (uri_path="/goform/QuickIndex" AND content_length>1000) OR (event_type="crash" AND device_model="FH1202")

📊 Metadata

CVE ID: CVE-2024-2985

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: March 27, 2024

Last Updated: January 14, 2025

🔗 References

https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/FH/FH1202/formQuickIndex.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.258154 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.258154 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.301276 Third Party Advisory,VDB Entry
https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/FH/FH1202/formQuickIndex.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.258154 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.258154 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.301276 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-2985, you might also want to check these: