CVE-2024-41461 – CVE-2024-41461 is a critical stack-based buffer... (How to Fix)

Q: What is the severity of CVE-2024-41461?

CVE-2024-41461 has a CVSS score of 9.8 (CRITICAL). CVE-2024-41461 is a critical stack-based buffer overflow vulnerability in Tenda FH1201 routers that allows remote attackers to execute arbitrary code or cause denial of service by sending specially crafted requests to the DHCP client list endpoint. This affects all users running vulnerable firmware versions of the Tenda FH1201 router. Attackers can exploit this without authentication to potentially take full control of affected devices.

📋 TL;DR

CVE-2024-41461 is a critical stack-based buffer overflow vulnerability in Tenda FH1201 routers that allows remote attackers to execute arbitrary code or cause denial of service by sending specially crafted requests to the DHCP client list endpoint. This affects all users running vulnerable firmware versions of the Tenda FH1201 router. Attackers can exploit this without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:

Tenda FH1201

Versions: v1.2.0.14 (specific version mentioned in CVE)

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: This appears to affect the default configuration as the vulnerable endpoint is part of the web management interface.

📦 What is this software?

Fh1201 Firmware by Tendacn

View all CVEs affecting Fh1201 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to other devices, and participation in botnets.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as a foothold for further attacks.

🟢

If Mitigated

Denial of service causing router reboot or instability if exploit attempts fail to achieve code execution.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and the vulnerability requires no authentication, making them prime targets for automated attacks.

🏢 Internal Only: MEDIUM - While primarily internet-facing, internal attackers could also exploit this if they gain network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in a web endpoint that doesn't require authentication, and public proof-of-concept code exists in the referenced GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Tenda's official website for firmware updates. 2. If available, download the latest firmware for FH1201. 3. Log into router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply the new firmware. 6. Wait for router to reboot.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to the router's web management interface

Log into router admin -> Advanced Settings -> Remote Management -> Disable

Network Segmentation

all

Isolate the router from critical internal networks

Use VLANs or separate physical networks to segment router management traffic

🧯 If You Can't Patch

Replace the vulnerable device with a different model that receives security updates
Place the router behind a firewall that blocks access to port 80/443 and the specific vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check current firmware version in router admin interface under System Status or Firmware Upgrade section

Check Version:

curl -s http://router-ip/ | grep -i firmware || Check web interface manually

Verify Fix Applied:

Verify firmware version is newer than v1.2.0.14 and test if the /goform/DhcpListClient endpoint still exists

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /goform/DhcpListClient
Unusual long parameter values in web requests
Router crash/reboot logs

Network Indicators:

HTTP POST requests to /goform/DhcpListClient with unusually long list1 parameter
Traffic patterns suggesting buffer overflow attempts

SIEM Query:

source="router_logs" AND (uri_path="/goform/DhcpListClient" OR message="buffer overflow" OR message="segmentation fault")

📊 Metadata

CVE ID: CVE-2024-41461

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: July 24, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/iotresearch/iot-vuln/blob/main/Tenda/FH1201/DhcpListClient/README.md Exploit,Third Party Advisory
https://github.com/iotresearch/iot-vuln/blob/main/Tenda/FH1201/DhcpListClient/README.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41461, you might also want to check these: