Hirschmann Industrial IT HiLCOS Web Interface Heap Overflow Vulnerability Leading to Denial-of-Service

A heap overflow vulnerability has been identified in the HiLCOS web interface of Hirschmann Industrial IT products. This vulnerability allows unauthenticated remote attackers to send specially crafted requests that trigger a denial-of-service condition, causing the affected device to crash and disrupt services. The issue is particularly pronounced in configurations where the Public Spot functionality is enabled. The vulnerability affects HiLCOS versions 10.34.6313 and prior, across various product lines including BAT-R, BAT-F, BAT450-F, BAT867-R, BAT867-F, WLC, and BAT Controller Virtual.

Impact

Exploitation of this vulnerability leads to a heap overflow, causing the device to crash and disrupt services. In some cases, such as with LANCOM LCOS, this heap overflow could potentially be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/radius/start.html' endpoint of the HiLCOS web interface. The request must include a 'Content-Length' header set to '4294967295', which exploits the way the server processes content length by causing an overflow. This manipulation allows the 'read_body' function to read an unlimited amount of data, triggering the heap overflow.

Remediation

Users are advised to update to HiLCOS version 10.34.6464 (Release Update 8), which addresses this vulnerability. For those unable to update immediately, the web interface can be disabled completely or blocked with a firewall. Management products like Hirschmann LANConfig, the WLC, and BAT Controller Virtual will automatically revert to other methods like SSH.