Command Injection Vulnerability in Tenda FH1201 v1.2.0.14

CVE-2024-41473

What is CVE-2024-41473?

CVE-2024-41473 is a command injection vulnerability discovered in the Tenda FH1201 router, specifically in version 1.2.0.14. This router is designed to facilitate internet connectivity for home and small office environments. The vulnerability arises from improper input validation related to the MAC address parameter, which could allow an attacker to send arbitrary commands to the device. If exploited, this vulnerability could severely compromise the device's integrity and the network it supports, potentially leading to unauthorized control and data exfiltration.

Technical Details

The vulnerability resides in the way the Tenda FH1201 router processes the 'mac' parameter at the endpoint 'ip/goform/WriteFacMac'. When an attacker crafts a malicious input for this parameter, they can inject commands that the router executes without proper authorization. The lack of secure input validation here opens the device to various forms of attacks, enabling attackers to manipulate the router's functionality or gain access to sensitive data.

Potential impact of CVE-2024-41473

1. Unauthorized Access: Exploiting this vulnerability may allow attackers to gain unauthorized access to the router's administrative controls, enabling them to change network configurations or launch further attacks on connected devices.

2. Data Exfiltration: Successful exploitation could lead to data breaches, where sensitive information being transmitted through the compromised network may be captured and siphoned off by malicious actors.

3. Network Compromise: With control over the router, attackers could utilize it as a launchpad for broader network attacks, potentially compromising additional connected systems and leading to widespread disruption.

References