CVE-2024-4291
📋 TL;DR
A critical stack-based buffer overflow vulnerability in Tenda A301 routers allows remote attackers to execute arbitrary code by manipulating the deviceList parameter in the formAddMacfilterRule function. This affects Tenda A301 routers running firmware version 15.13.08.12_multi_TDE01. Attackers can exploit this without authentication to potentially take full control of affected devices.
💻 Affected Systems
- Tenda A301
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete device compromise, creation of persistent backdoors, lateral movement to internal networks, and data exfiltration.
Likely Case
Remote code execution allowing attackers to modify router settings, intercept network traffic, or use the device as a foothold for further attacks.
If Mitigated
Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation prevents lateral movement.
🎯 Exploit Status
Public exploit details are available on GitHub, making exploitation straightforward for attackers with basic skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available - vendor did not respond to disclosure
Restart Required: Yes
Instructions:
1. Check Tenda's official website for firmware updates
2. If update available, download and install following vendor instructions
3. Note: No official patch is currently known to exist
🔧 Temporary Workarounds
Disable Remote Management
allPrevent external access to the vulnerable web interface
Access router admin panel -> Advanced Settings -> Remote Management -> Disable
Network Segmentation
allIsolate affected routers from critical network segments
🧯 If You Can't Patch
- Replace affected devices with patched or different model routers
- Implement strict network access controls to limit exposure to the router's management interface
🔍 How to Verify
Check if Vulnerable:
Check router firmware version via admin panel: Login -> System Status -> Firmware Version. If version is exactly 15.13.08.12_multi_TDE01, device is vulnerable.Check Version:
curl -s http://router-ip/goform/getStatus | grep firmware_versionVerify Fix Applied:
Verify firmware version has changed from 15.13.08.12_multi_TDE01 to a newer version. No official patch exists, so replacement may be necessary.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /goform/setBlackRule
- Multiple failed authentication attempts followed by successful access to vulnerable endpoint
- Abnormal process creation or system modifications
Network Indicators:
- Unusual outbound connections from router to unknown IPs
- Traffic patterns suggesting command and control communication
- Port scanning originating from router
SIEM Query:
source="router_logs" AND (uri="/goform/setBlackRule" OR uri="/goform/setBlackRule*") AND method="POST" AND size>normal_threshold🔗 References
- https://github.com/L1ziang/Vulnerability/blob/main/formAddMacfilterRule.md
- https://vuldb.com/?ctiid.262223
- https://vuldb.com/?id.262223
- https://vuldb.com/?submit.320672
- https://github.com/L1ziang/Vulnerability/blob/main/formAddMacfilterRule.md
- https://vuldb.com/?ctiid.262223
- https://vuldb.com/?id.262223
- https://vuldb.com/?submit.320672
