Eclipse ThreadX NetX Duo HTTP Server Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the HTTP server component of Eclipse ThreadX NetX Duo, in versions through 6.4.1. The issue arises when the server processes HTTP PUT requests. If an error occurs after a file is opened for writing, the file is not properly closed. This oversight leads to subsequent file requests being met with a 404 error. The vulnerability can be exploited by sending specially crafted packets that, for example, include a 'Content-Length' value larger than the actual data sent, causing a timeout error that is not handled correctly.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, where the server fails to properly handle file requests after the vulnerability is triggered, resulting in repeated 404 errors.

Reproduction

To reproduce this vulnerability, send an HTTP PUT request with a 'Content-Length' header that exceeds the actual data being transmitted. The server will attempt to read the additional data, and when none is received, it will time out and enter an error state. This error state can be confirmed by subsequent HTTP requests, which will receive a 404 Not Found response.

Remediation

Users can upgrade to NetX Duo version 6.4.2 or later, or disable PUT request support in their application.