Talos Vulnerability Report

SUMMARY

An integer underflow vulnerability exists in the HTTP server PUT request functionality of Eclipse ThreadX NetX Duo git commit 6c8e9d1. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Eclipse ThreadX NetX Duo git commit 6c8e9d1

PRODUCT URLS

Eclipse ThreadX NetX Duo - https://github.com/eclipse-threadx/netxduo

CVSSv3 SCORE

4.3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-191 - Integer Underflow (Wrap or Wraparound)

DETAILS

Eclipse ThreadX NetX Duo is an industrial-grade TCP/IP network stack tailored specifically for deeply embedded real-time and IoT applications. It offers a dual network stack supporting both IPv4 and IPv6

When processing an HTTP PUT request it is possible to cause an integer underflow condition which could result in a very large file to be written to the file system. This could cause a denial of service by consuming all of the file system resources. This vulnerability affects both HTTP server implementations within NetX Duo.

Upon receipt of an HTTP PUT request, the function _nx_web_http_server_put_process is invoked. The content length is extracted from the request at [1] and stored in the variable length. Next, the data contained in the request will be written to the requested file at [2]. Then, the number of bytes of data is calculated at [3] ((ULONG)(packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr) - offset). The variable offset is the beginning of the data in the HTTP request, after the HTTP headers, and packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr is the entire size of the request. For illustration purposes, let’s say that the offset of data in the packet offset is 20, and the total packet length ((ULONG)(packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr) is 80 , this means that 60 bytes of data are included in the packet ((ULONG)(packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr) - offset) = 60. If the Content-Length value in the HTTP header length is 59, then this will cause an integer underflow at [3]. After the calculation at [3], length will be -1. Since the variable length is unsigned, this will be interpreted as the very large number 0xffffffff at [4]. This large number causes the code to enter and execute the loop at [4] when it otherwise shouldn’t continue processing. This loop will continue to execute and receive more data at [5] and write to the requested file at [6] until 0xffffffff bytes have been received. To summarize, an attacker could send a Content-Length value that is smaller than the data included in the request, and then continue sending data resulting in writing an excessively large file being written - potentially consuming all of the file system resources.

File: netxduo\addons\web\nx_web_http_server.c
4213: VOID  _nx_web_http_server_put_process(NX_WEB_HTTP_SERVER *server_ptr, NX_PACKET *packet_ptr)
4214: {
...
4217: ULONG       length = 0;
...
4254:         /* Calculate the content length from the request.  */
4255:         status =  _nx_web_http_server_content_length_get(packet_ptr, &length);    /*[1]*/
...
4477:     /* Determine if there is any content in the first packet.  */
4478:     if ((UINT)(packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr) > offset)
4479:     {
4480: 
4481:         /* Write the content found in this packet.  */
4482:         status =  fx_file_write(&(server_ptr -> nx_web_http_server_file), (packet_ptr -> nx_packet_prepend_ptr + offset),
4483:                                 ((ULONG)(packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr) - offset));    /*[2]*/
...
4505:         /* Update the length.  */
4506:         length =  length - ((ULONG)(packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr) - offset);  /*[3]*/
...
4561:     /* If necessary, receive more packets from the TCP socket to complete the write request.  */
4562:     while (length || server_ptr -> nx_web_http_server_request_chunked)    /*[4]*/
4563:     {
...
4565:         /* Wait for a request.  */
4566:         status = _nx_web_http_server_packet_get(server_ptr, &data_packet_ptr);    /*[5]*/
...
4597:             /* Write the content of this packet.  */
4598:             status =  fx_file_write(&(server_ptr -> nx_web_http_server_file), next_packet_ptr -> nx_packet_prepend_ptr,
4599:                                                (ULONG)(next_packet_ptr -> nx_packet_append_ptr - next_packet_ptr -> nx_packet_prepend_ptr));      /*[6]*/

NetX Duo Component HTTP Server

This vulnerability affects the NetX Duo Component HTTP Server implementation which can be found in netxduo\addons\http\nxd_http_server.c

Mitigation

Developers can disable the processing of PUT requests by ending the processing of a PUT request in an application callback request notify function.

CVE-2025-2258 - NetX Duo Web Component HTTP Server

This vulnerability affects the NetX Duo Web Component HTTP Server implementation which can be found in netxduo\addons\web\nx_web_http_server.c

Mitigation

Developers can disable the processing of PUT requests by ending the processing of a PUT request in an application callback request notify function.

VENDOR RESPONSE

Eclipse has provided an update and released an advisory: https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-chqp-8vf8-cj25

TIMELINE

2024-10-31 - Initial Vendor Contact
2024-10-31 - Vendor Disclosure
2025-03-04 - Vendor Patch Release
2025-04-14 - Public Release