Bacnet Stack
Monthly
Unauthenticated remote attackers can crash BACnet Stack prior to versions 1.5.0rc4 and 1.4.3rc2 by sending a malformed WriteProperty request that triggers an integer underflow during APDU decoding, resulting in an out-of-bounds memory read. Public exploit code exists for this vulnerability. The issue affects embedded systems running vulnerable versions of the BACnet protocol stack library.
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. [CVSS 7.5 HIGH]
The BACnet Protocol Stack library versions 1.4.2 and earlier contain an off-by-one buffer overflow in the ubasic interpreter's string tokenizer that crashes the application when processing oversized string literals. Public exploit code exists for this vulnerability, which affects any system running vulnerable versions of the BACnet Stack or Stack Overflow products. An attacker with local access and user interaction can trigger a denial of service condition through a specially crafted input string.
BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. Prior to 1.5.0.rc2, The npdu_is_expected_reply function in src/bacnet/npdu.c indexes request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4] without verifying that those APDU bytes exist. bacnet_npdu_decode() can return offset == 2 for a 2-byte NPDU, so tiny PDUs pass the version check and then get read out of bounds. On ASan/MPU/strict builds this is an immediate crash (DoS). On unprotected builds it is undefined behavior and can mis-route replies; RCE is unlikely because only reads occur, but DoS is reliable.
Unauthenticated remote attackers can crash BACnet Stack prior to versions 1.5.0rc4 and 1.4.3rc2 by sending a malformed WriteProperty request that triggers an integer underflow during APDU decoding, resulting in an out-of-bounds memory read. Public exploit code exists for this vulnerability. The issue affects embedded systems running vulnerable versions of the BACnet protocol stack library.
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. [CVSS 7.5 HIGH]
The BACnet Protocol Stack library versions 1.4.2 and earlier contain an off-by-one buffer overflow in the ubasic interpreter's string tokenizer that crashes the application when processing oversized string literals. Public exploit code exists for this vulnerability, which affects any system running vulnerable versions of the BACnet Stack or Stack Overflow products. An attacker with local access and user interaction can trigger a denial of service condition through a specially crafted input string.
BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. Prior to 1.5.0.rc2, The npdu_is_expected_reply function in src/bacnet/npdu.c indexes request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4] without verifying that those APDU bytes exist. bacnet_npdu_decode() can return offset == 2 for a 2-byte NPDU, so tiny PDUs pass the version check and then get read out of bounds. On ASan/MPU/strict builds this is an immediate crash (DoS). On unprotected builds it is undefined behavior and can mis-route replies; RCE is unlikely because only reads occur, but DoS is reliable.