| Vulnerability Name: | CVE-2022-24354 (CCN-219375) | ||||||||||||
| Assigned: | 2022-02-10 | ||||||||||||
| Published: | 2022-02-10 | ||||||||||||
| Updated: | 2022-02-28 | ||||||||||||
| Summary: | This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link AC1750 prior to 1.1.4 Build 20211022 rel.59103(5553) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the NetUSB.ko module. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15835. | ||||||||||||
| CVSS v3 Severity: | 8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 8.3 High (CVSS v2 Vector: AV:A/AC:L/Au:N/C:C/I:C/A:C)
| ||||||||||||
| Vulnerability Type: | CWE-190 | ||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2022-24354 Source: XF Type: UNKNOWN tplink-cve202224354-code-exec(219375) Source: CCN Type: TP-Link Web site WiFi Networking Equipment for Home & Business Source: CCN Type: ZDI-22-264 TP-Link AC1750 NetUSB Integer Overflow Remote Code Execution Vulnerability Source: MISC Type: Third Party Advisory, VDB Entry https://www.zerodayinitiative.com/advisories/ZDI-22-264/ | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||