A nearly max-critical zero-click vulnerability is impacting MediaTek Wi-Fi chipsets and driver bundles used in routers and smartphones from various manufacturers, including Ubiquiti, Xiaomi, and Netgear.

According to SonicWall Capture Labs researchers who found the issue (CVE-2024-20017, CVSS 9.8), exploitation would open the door to remote code execution (RCE) without user interaction, making the bug a conduit for easy device takeover. Making matters worse, a public proof-of-concept exploit (PoC) recently became available, they warned.

The issue affects MediaTek SDK versions 7.4.0.1 and earlier, as well as OpenWrt 19.07 and 21.02, and affected users should apply the available MediaTek patches as soon as possible.

In terms of the technical details, the vulnerability is an out-of-bounds write issue that resides in wappd, a network daemon responsible for configuring and managing wireless interfaces and access points.

“The architecture of wappd is complex, comprising the network service itself, a set of local services that interact with the device’s wireless interfaces, and communication channels between components via Unix domain sockets,” the researchers explained in a blog post on the issue this week. “Ultimately, the vulnerability is a buffer overflow as a result of a length value taken directly from attacker-controlled packet data without bounds checking and placed into a memory copy.”

Source: www.darkreading.com