Search criteria
2 vulnerabilities found for Advanced Software Framework by Microchip Techology
CVE-2024-7490 (GCVE-0-2024-7490)
Vulnerability from cvelistv5 – Published: 2024-08-08 15:01 – Updated: 2025-08-29 20:23 Unsupported When Assigned
VLAI?
Title
Remote Code Execution in Advanced Software Framework DHCP server
Summary
Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow.
This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option.
This issue affects Advanced Software Framework: through 3.52.0.2574.
ASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework.
Severity ?
CWE
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microchip Techology | Advanced Software Framework |
Affected:
0 , ≤ 3.52.0.2574
(semver)
|
Credits
element55
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:microchip:advanced_software_framework:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "advanced_software_framework",
"vendor": "microchip",
"versions": [
{
"lessThanOrEqual": "3.52.0.2574",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7490",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T16:25:23.040865Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T16:30:11.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-19T13:06:47.103Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/138043"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://gallery.microchip.com/packages/4CE20911-D794-4550-8B94-6C66A93228B8/",
"defaultStatus": "affected",
"modules": [
"network"
],
"packageName": "lwip",
"product": "Advanced Software Framework",
"programFiles": [
"tinydhcpserver.c"
],
"programRoutines": [
{
"name": "lwip_dhcp_find_option"
}
],
"repo": "https://savannah.nongnu.org/projects/lwip/",
"vendor": "Microchip Techology",
"versions": [
{
"lessThanOrEqual": "3.52.0.2574",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of the lwip stack embedded in ASF, and using the example DHCP server provided.\u003cbr\u003e"
}
],
"value": "Use of the lwip stack embedded in ASF, and using the example DHCP server provided."
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "element55"
}
],
"datePublic": "2024-08-05T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow.\u003cbr\u003e\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003etinydhcpserver.C\u003c/tt\u003e and program routines \u003ctt\u003elwip_dhcp_find_option\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects Advanced Software Framework: through 3.52.0.2574.\u003c/p\u003e\u003cp\u003e\nASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework.\n\n\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow.\n This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option.\n\nThis issue affects Advanced Software Framework: through 3.52.0.2574.\n\n\nASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T20:23:53.142Z",
"orgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5",
"shortName": "Microchip"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.microchip.com/en-us/tools-resources/develop/libraries/advanced-software-framework"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework.\u003cbr\u003e"
}
],
"value": "ASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework."
}
],
"source": {
"advisory": "PSIRT-23",
"discovery": "EXTERNAL"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Remote Code Execution in Advanced Software Framework DHCP server",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\nThe issue can be mitigated by adding a check to the size variable after the call [1] to pbuf_get_at on line 127 [1].\n If the size variable is not 4, then the function should cease \nprocessing and return. The lwip_dhcp_find_option function is only used \nto find this one option. \u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\n\u003cp\u003e [1] \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/alfred-ai/microchip-asf/blob/bf5205e36a265b867d531647ffbf2de5e287853a/thirdparty/lwip/lwip-tinyservices/tinydhcpserver.c#L127\"\u003ehttps://github.com/alfred-ai/microchip-asf/blob/bf5205e36a265b867d531647ffbf2de5e287853a/thirdparty/lwip/lwip-tinyservices/tinydhcpserver.c#L127\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "The issue can be mitigated by adding a check to the size variable after the call [1] to pbuf_get_at on line 127 [1].\n If the size variable is not 4, then the function should cease \nprocessing and return. The lwip_dhcp_find_option function is only used \nto find this one option. \n\n\n\n\n\n\n [1] https://github.com/alfred-ai/microchip-asf/blob/bf5205e36a265b867d531647ffbf2de5e287853a/thirdparty/lwip/lwip-tinyservices/tinydhcpserver.c#L127"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5",
"assignerShortName": "Microchip",
"cveId": "CVE-2024-7490",
"datePublished": "2024-08-08T15:01:09.055Z",
"dateReserved": "2024-08-05T14:10:12.165Z",
"dateUpdated": "2025-08-29T20:23:53.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7490 (GCVE-0-2024-7490)
Vulnerability from nvd – Published: 2024-08-08 15:01 – Updated: 2025-08-29 20:23 Unsupported When Assigned
VLAI?
Title
Remote Code Execution in Advanced Software Framework DHCP server
Summary
Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow.
This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option.
This issue affects Advanced Software Framework: through 3.52.0.2574.
ASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework.
Severity ?
CWE
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Microchip Techology | Advanced Software Framework |
Affected:
0 , ≤ 3.52.0.2574
(semver)
|
Credits
element55
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:microchip:advanced_software_framework:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "advanced_software_framework",
"vendor": "microchip",
"versions": [
{
"lessThanOrEqual": "3.52.0.2574",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7490",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T16:25:23.040865Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T16:30:11.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-19T13:06:47.103Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/138043"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://gallery.microchip.com/packages/4CE20911-D794-4550-8B94-6C66A93228B8/",
"defaultStatus": "affected",
"modules": [
"network"
],
"packageName": "lwip",
"product": "Advanced Software Framework",
"programFiles": [
"tinydhcpserver.c"
],
"programRoutines": [
{
"name": "lwip_dhcp_find_option"
}
],
"repo": "https://savannah.nongnu.org/projects/lwip/",
"vendor": "Microchip Techology",
"versions": [
{
"lessThanOrEqual": "3.52.0.2574",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of the lwip stack embedded in ASF, and using the example DHCP server provided.\u003cbr\u003e"
}
],
"value": "Use of the lwip stack embedded in ASF, and using the example DHCP server provided."
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "element55"
}
],
"datePublic": "2024-08-05T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow.\u003cbr\u003e\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003etinydhcpserver.C\u003c/tt\u003e and program routines \u003ctt\u003elwip_dhcp_find_option\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects Advanced Software Framework: through 3.52.0.2574.\u003c/p\u003e\u003cp\u003e\nASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework.\n\n\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow.\n This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option.\n\nThis issue affects Advanced Software Framework: through 3.52.0.2574.\n\n\nASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T20:23:53.142Z",
"orgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5",
"shortName": "Microchip"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.microchip.com/en-us/tools-resources/develop/libraries/advanced-software-framework"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework.\u003cbr\u003e"
}
],
"value": "ASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework."
}
],
"source": {
"advisory": "PSIRT-23",
"discovery": "EXTERNAL"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Remote Code Execution in Advanced Software Framework DHCP server",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\nThe issue can be mitigated by adding a check to the size variable after the call [1] to pbuf_get_at on line 127 [1].\n If the size variable is not 4, then the function should cease \nprocessing and return. The lwip_dhcp_find_option function is only used \nto find this one option. \u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\n\u003cp\u003e [1] \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/alfred-ai/microchip-asf/blob/bf5205e36a265b867d531647ffbf2de5e287853a/thirdparty/lwip/lwip-tinyservices/tinydhcpserver.c#L127\"\u003ehttps://github.com/alfred-ai/microchip-asf/blob/bf5205e36a265b867d531647ffbf2de5e287853a/thirdparty/lwip/lwip-tinyservices/tinydhcpserver.c#L127\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "The issue can be mitigated by adding a check to the size variable after the call [1] to pbuf_get_at on line 127 [1].\n If the size variable is not 4, then the function should cease \nprocessing and return. The lwip_dhcp_find_option function is only used \nto find this one option. \n\n\n\n\n\n\n [1] https://github.com/alfred-ai/microchip-asf/blob/bf5205e36a265b867d531647ffbf2de5e287853a/thirdparty/lwip/lwip-tinyservices/tinydhcpserver.c#L127"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dc3f6da9-85b5-4a73-84a2-2ec90b40fca5",
"assignerShortName": "Microchip",
"cveId": "CVE-2024-7490",
"datePublished": "2024-08-08T15:01:09.055Z",
"dateReserved": "2024-08-05T14:10:12.165Z",
"dateUpdated": "2025-08-29T20:23:53.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}