External risk intelligence

Tenda AC23 Firmware Buffer Overflow

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2022-32386

This vulnerability affects a Tenda AC23 router, which is a network edge device. Routers are commonly deployed as internet-facing gateways and management surfaces in home and small office environments, making the affected interface frequently accessible via the network in typical deployment scenarios.

Out-of-bounds Write

Tendacn Ac23 Ac2100 Firmware

16.03.07.44

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Tenda AC23 network devices that could allow for unauthorized access and control. This issue stems from a buffer overflow flaw, which, if exploited, could lead to significant disruption. The main concern at this stage is to confirm if these devices are in use within our environment and assess any potential exposure.

  • Remote attackers can gain control of devices.
  • Considered critical due to easy, widespread exploitation.
  • Confirm device presence and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker could reach this vulnerability by interacting with the affected router over the network. The specific function `fromAdvSetMacMtuWan` is involved, and when exploited, it could allow an attacker to execute arbitrary code on the device, potentially leading to a complete compromise.

  • Network exposure required.
  • Triggered via `fromAdvSetMacMtuWan`.
  • Risk of arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

A buffer overflow vulnerability in the Tenda AC23 router's firmware could allow an unauthenticated attacker to execute arbitrary code on the device when it is exposed to the network. This could potentially impact the router's normal operation and any network traffic passing through it.

  • Router's functionality.
  • Via network requests to an affected interface.
  • Disruption of network service.

Operational Fix

Recommended remediation, mitigation, and detection steps

The affected Tenda AC23 router firmware can be exploited via a network buffer overflow, representing a critical risk. The first practical move is to identify all deployed AC23 devices, confirm network reachability and business criticality, and then locate the accountable owner for remediation planning.

  • Assign ownership to network infrastructure teams.
  • Verify device network exposure and criticality.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Tenda AC23 device?

The Tenda AC23 is a network router designed for home and small office environments. It serves as a gateway to manage internet connectivity and local network traffic for connected devices. The firmware version 16.03.07.44 handles the core operations that enable these networking functions.

What is the buffer overflow in CVE-2022-32386?

This vulnerability is classified as CWE-787, which is an out-of-bounds write. In plain terms, the software fails to properly check the size of incoming data before writing it to memory. By sending specially crafted network requests to the router, an attacker can overflow the allocated memory space, potentially allowing them to execute unauthorized code on the device.

How is this Tenda AC23 vulnerability triggered?

The flaw is triggered by sending specific network data to the `fromAdvSetMacMtuWan` function within the firmware. It is important to note that this requires network interaction with the router's management interfaces; it is not triggered by standard web browsing or routine traffic flowing through the device to the internet.

Why is this CVE considered relevant to my security?

According to Halo Surface Signal, this router is an edge device frequently deployed as an internet-facing gateway. Because the vulnerability is accessible over the network without requiring authentication, any AC23 device exposed to the public internet is at a higher risk of being reached by an attacker.

What are the first steps to address this issue?

If you use this hardware, begin by creating an inventory of all Tenda AC23 devices in your network. Determine if these devices are directly reachable from the internet, as this increases their risk. Once identified, notify the network or infrastructure team responsible for these systems to evaluate the devices and coordinate with the vendor for remediation.

References