CERT/CC Warns of Unpatched Critical Vulnerability in Microchip ASF

Microchip Advanced Software Framework (ASF) 3 is affected by a critical vulnerability that could lead to remote code execution.

The CERT Coordination Center (CERT/CC) at Carnegie Mellon University has published an advisory for a critical flaw affecting Microchip’s Advanced Software Framework (ASF).

Microchip ASF is a free and open source code library for the company’s microcontrollers. The US-based semiconductor supplier says the product is meant for the evaluation, prototyping, design and production phases.

The security hole, tracked as CVE-2024-7490, was discovered by Andrue Coombes of Amazon Element55. According to CERT/CC, the issue is related to ASF’s implementation of the Tinydhcp server, and it can allow remote code execution using specially crafted DHCP requests.

“An implementation of DHCP in ASF fails input validation, thereby creating conditions for a stack-based overflow,” CERT/CC explained. “Because this vulnerability is in IoT-centric code, it is likely to surface in ...