CVE-2021-46394

There is a stack buffer overflow vulnerability in the formSetPPTPServer function of Tenda-AX3 router V16.03.12.10_CN. The v13 variable is directly retrieved from the http request parameter startIp. Then v13 will be splice to stack by function sscanf without any security check, which causes stack overflow. By POSTing the page /goform/SetPptpServerCfg with proper startIp, the attacker can easily perform remote code execution with carefully crafted overflow data.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/sec-bin/IoT-CVE/tree/main/Tenda/AX3/4	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:tenda:ax3_firmware:16.03.12.10:*:*:*:*:*:*:*

cpe:2.3:h:tenda:ax3:-:*:*:*:*:*:*:*

History

10 Mar 2022, 14:41

Type	Values Removed	Values Added
CPE		cpe:2.3:o:tenda:ax3_firmware:16.03.12.10:::::::* cpe:2.3:h:tenda:ax3:-:::::::*
CWE		CWE-787
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 7.5 v3 : 9.8
References	~~(MISC) https://github.com/sec-bin/IoT-CVE/tree/main/Tenda/AX3/4 -~~	(MISC) https://github.com/sec-bin/IoT-CVE/tree/main/Tenda/AX3/4 - Exploit, Third Party Advisory
First Time		Tenda Tenda ax3 Firmware Tenda ax3

04 Mar 2022, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-03-04 14:15

Updated : 2023-12-10 14:22

NVD link : CVE-2021-46394

Mitre link : CVE-2021-46394

CVE.ORG link : CVE-2021-46394

JSON object : View

Products Affected

tenda

ax3
ax3_firmware

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2021-46394", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-03-04T14:15:07.853", "references": [{"url": "https://github.com/sec-bin/IoT-CVE/tree/main/Tenda/AX3/4", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "There is a stack buffer overflow vulnerability in the formSetPPTPServer function of Tenda-AX3 router V16.03.12.10_CN. The v13 variable is directly retrieved from the http request parameter startIp. Then v13 will be splice to stack by function sscanf without any security check, which causes stack overflow. By POSTing the page /goform/SetPptpServerCfg with proper startIp, the attacker can easily perform remote code execution with carefully crafted overflow data."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de desbordamiento del buffer de pila en la funci\u00f3n formSetPPTPServer del router Tenda-AX3 versi\u00f3n V16.03.12.10_CN. La variable v13 es recuperada directamente del par\u00e1metro startIp de la petici\u00f3n http. Entonces v13 ser\u00e1 empalmada a la pila por la funci\u00f3n sscanf sin ninguna comprobaci\u00f3n de seguridad, lo que causa un desbordamiento de la pila. Al enviar por POST la p\u00e1gina /goform/SetPptpServerCfg con la startIp apropiada, el atacante puede llevar a cabo f\u00e1cilmente una ejecuci\u00f3n de c\u00f3digo remota con datos de desbordamiento cuidadosamente dise\u00f1ados"}], "lastModified": "2022-03-10T14:41:55.770", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:tenda:ax3_firmware:16.03.12.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "08A2E630-D40C-4ECE-8B4D-BA2482267F3C"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:tenda:ax3:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "6A01F4C4-FFFF-48DD-90DB-4DD29FE57479"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}