STMicroelectronics X-CUBE-AZRTOS-WL NetX Component HTTP Server Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the NetX Component HTTP server of STMicroelectronics X-CUBE-AZRTOS-WL version 2.0.0. This vulnerability allows an attacker to send a specially crafted network packet that disrupts service. The issue arises when the server processes HTTP PUT requests. If an error occurs after a file is opened for writing, the file is not properly closed. This oversight leads to subsequent HTTP requests involving file resources being met with a '404 File Not Found' error. The vulnerability is present in the file 'x-cube-azrtos-f7\Middlewares\ST\netxduo\addons\http\nxd_http_server.c'.

Impact

Exploitation of this vulnerability causes a denial-of-service condition on the HTTP server, where it fails to properly handle file resources, resulting in '404 File Not Found' errors for affected requests.

Reproduction

To reproduce this vulnerability, send an HTTP PUT request with a 'Content-Length' header indicating more data than is actually sent. The server will attempt to read the additional data, and when it times out, it will enter an error state without closing the file that was opened for the write operation. This will cause any following requests that involve file resources to receive a '404 File Not Found' response.

Remediation

Developers can disable PUT request processing by terminating it in an application callback request notify function.