BACnet Stack, an open-source protocol stack for embedded systems, has a high-severity vulnerability that affects its ReadPropertyMultiple service. Specifically, this vulnerability allows unauthenticated remote attackers to exploit an off-by-one out-of-bounds read condition by sending a crafted RPM request with a truncated object identifier. The vulnerability, which is present in versions prior to 1.4.3, resides in the function rpm_decode_object_id().
The CVSS score for this vulnerability is 8.7, categorizing it as high severity. The attack vector is network-based with low complexity, meaning no special skills are required to exploit it. Risk to organizations includes device crashes, as the vulnerability leads to a read operation beyond the allocated buffer. This can destabilize embedded BACnet devices, which could have significant operational impacts.
Given the nature of this vulnerability, organizations should prioritize patching immediately. The fixed version, 1.4.3, addresses the issue and prevents further exploitation.
As of now, there are no known exploits or public proof of concepts available for this vulnerability. However, the risk it poses warrants immediate attention from security teams.
Vulnerability Details
This vulnerability allows unauthenticated remote attackers to read one byte past an allocated buffer boundary by sending a crafted RPM request. The vulnerability is in the function rpm_decode_object_id(), which incorrectly checks the length of the input, allowing for an out-of-bounds read. This issue could lead to crashes on embedded BACnet devices.
The CVSS score of 8.7 indicates a significant risk, with the vulnerability classified as CWE-125 (Out-of-bounds Read) and CWE-193 (Off-by-one Error). The vulnerability exists in the source file src/bacnet/rpm.c and affects any deployment that enables the ReadPropertyMultiple confirmed service handler, which is enabled by default in the reference server.
Technical Analysis
The root cause of the vulnerability is a logic error in the rpm_decode_object_id() function where the length of the APDU is checked but the function accesses one additional byte. Specifically, the function checks that apdu_len is less than 5 but then accesses all six byte positions, which leads to the out-of-bounds read. This design flaw allows attackers to exploit the condition by sending a crafted RPM request.
The attack vector is network-based, requiring no privileges or user interaction, making it relatively easy for attackers to exploit this vulnerability. The impact on availability is high, as the vulnerability can cause devices to crash due to the improper memory access.
Risk & Impact Analysis
The real-world risk associated with this vulnerability is significant due to the potential for device crashes in embedded systems using BACnet Stack. Organizations that deploy these systems must understand the implications of this high-severity vulnerability.
Given the CVSS score of 8.7, immediate action is necessary to mitigate the risk. The vulnerability is not actively exploited at this time, and no public proof of concept has been released. However, as with any high-severity vulnerability, the potential blast radius could be considerable, especially in environments relying heavily on BACnet devices.
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
The vulnerability affects all versions of BACnet Stack prior to 1.4.3. Organizations using versions prior to this should upgrade to mitigate the risk.
Mitigation & Remediation
Organizations should ensure that they upgrade to BACnet Stack version 1.4.3 or later to address this vulnerability. If a patch is not immediately available, implementing network controls to restrict access to vulnerable BACnet devices can help mitigate potential exploitation.
For further security evaluation, organizations may consider conducting a comprehensive security assessment. This can include application security assessment to identify other vulnerabilities.
Detection Guidance
Organizations should monitor logs for any indications of abnormal behavior associated with BACnet devices. This includes checking for unexpected RPM request patterns that could indicate an attempted exploitation of the vulnerability.
AppSecure Threat Intelligence Insight
The long-term significance of this vulnerability lies in its ability to impact device availability. As organizations increasingly rely on embedded systems, the potential for disruption from such vulnerabilities grows.
This incident highlights the importance of prompt patch management and regular security assessments. Security teams should prioritize identifying and remediating vulnerabilities in their environments.
For further insights into managing vulnerabilities effectively, organizations can refer to our vulnerability management program guidelines.
Additionally, organizations may benefit from reviewing our penetration testing methodology to ensure a robust security posture.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)