CVE-2024-35579: Tenda AX1806 Buffer Overflow Vulnerability

CVE-2024-35579 Overview

CVE-2024-35579 is a stack-based buffer overflow [CWE-121] in the Tenda AX1806 wireless router running firmware version 1.0.0.1. The vulnerability resides in the formSetIptv function, which fails to validate the length of the iptv.city.vlan parameter before copying it into a fixed-size stack buffer. A remote attacker can send a crafted HTTP request to the router's web management interface to corrupt stack memory. Successful exploitation can crash the device or potentially allow execution of attacker-controlled code on the router. The vulnerability affects confidentiality and integrity of the device and impacts network availability for connected clients.

Critical Impact

Remote attackers can trigger stack memory corruption in the router's HTTP service through the iptv.city.vlan parameter, leading to denial of service or possible code execution on the device.

Affected Products

• Tenda AX1806 hardware (cpe:2.3:h:tenda:ax1806:-)
• Tenda AX1806 firmware version 1.0.0.1
• Devices exposing the formSetIptv endpoint on the web management interface

Discovery Timeline

• 2024-05-20 - CVE-2024-35579 published to NVD
• 2025-03-17 - Last updated in NVD database

Technical Details for CVE-2024-35579

Vulnerability Analysis

The flaw resides in the formSetIptv handler within the Tenda AX1806 web management binary. This handler processes IPTV configuration submissions from authenticated and unauthenticated request paths exposed by the router's HTTP server. The function reads the iptv.city.vlan parameter directly from the request and copies it into a fixed-size stack buffer using an unbounded string copy operation. Because no length check is performed, an oversized value overruns the buffer and overwrites adjacent stack data, including the saved return address. Attackers operating on the local network or across routed paths reachable to the management interface can submit the malicious request. The router's MIPS architecture and lack of modern exploit mitigations on consumer firmware increase the probability of reliable code execution, though the high attack complexity reflects practical exploitation hurdles.

Root Cause

The root cause is the absence of input length validation on the iptv.city.vlan HTTP parameter before it is written to a stack buffer in formSetIptv. The function trusts attacker-controlled data and does not enforce a maximum size, matching the classic pattern of [CWE-121] stack-based buffer overflow.

Attack Vector

Exploitation is performed over the network by sending a crafted HTTP POST request to the formSetIptv endpoint with an oversized iptv.city.vlan value. No user interaction is required. An attacker positioned on the LAN, or able to reach the management interface remotely if exposed, can deliver the payload. Detailed exploitation notes are available in the Notion Analysis on Tenda AX1806.

No verified public proof-of-concept code is referenced in the NVD entry. The vulnerability mechanism follows the documented pattern: an HTTP request containing a long string in the iptv.city.vlan field reaches formSetIptv, which copies the value into a fixed-size local buffer without bounds checking, corrupting the stack frame.

Detection Methods for CVE-2024-35579

Indicators of Compromise

• HTTP POST requests to /goform/SetIptvInfo or related formSetIptv endpoints containing abnormally long iptv.city.vlan parameter values
• Unexpected reboots, crashes, or service restarts on Tenda AX1806 routers
• New or unknown administrative sessions on the router web interface following a suspicious request

Detection Strategies

• Inspect HTTP traffic destined for the router's management interface for parameter values exceeding expected VLAN identifier length (typically 1-4 numeric characters)
• Deploy network intrusion detection signatures that flag iptv.city.vlan values longer than a reasonable threshold (for example, 16 bytes)
• Correlate router crash or watchdog events with preceding inbound HTTP requests to the IPTV configuration handler

Monitoring Recommendations

• Log all administrative access attempts to the router's web interface and alert on traffic from non-administrative hosts
• Forward router syslog data to a central collector and monitor for abnormal restart frequency
• Track DNS and outbound connection patterns from the router itself for signs of post-exploitation command-and-control activity

How to Mitigate CVE-2024-35579

Immediate Actions Required

• Restrict access to the router's web management interface to trusted administrative hosts only and disable remote (WAN-side) management
• Place the router on a segmented management VLAN that blocks untrusted clients from reaching the HTTP service
• Audit the device for unauthorized configuration changes, including DNS settings, port forwards, and administrator credentials

Patch Information

No vendor advisory or fixed firmware version is referenced in the NVD record for CVE-2024-35579 at the time of writing. Administrators should monitor the Tenda support site for an updated firmware release addressing formSetIptv and apply it once available. If a patched build is not provided for AX1806 firmware 1.0.0.1, consider replacing the device with a vendor-supported model.

Workarounds

• Disable the IPTV feature on the router if it is not in use to reduce the attack surface around formSetIptv
• Block inbound access to the router's HTTP management port from the WAN at the upstream firewall
• Apply MAC or IP allowlisting on the LAN to limit which clients can reach the router's administrative interface

# Example: block external access to the router management interface using iptables on an upstream gateway
iptables -A FORWARD -p tcp -d <router-ip> --dport 80 -i <wan-interface> -j DROP
iptables -A FORWARD -p tcp -d <router-ip> --dport 443 -i <wan-interface> -j DROP

# Example: restrict LAN management access to a single admin workstation
iptables -A FORWARD -p tcp -d <router-ip> --dport 80 ! -s <admin-host-ip> -j DROP