Eclipse ThreadX NetX Duo HTTP Server Integer Underflow Vulnerability Leading to Denial-of-Service

An integer underflow vulnerability has been identified in the HTTP server functionality of Eclipse ThreadX NetX Duo, in versions prior to 6.4.2. This vulnerability allows an attacker to cause a denial-of-service by sending specially crafted HTTP PUT requests. The first packet can have a Content-Length header indicating a smaller size than the actual data in subsequent packets, leading to an underflow condition. This underflow can be exploited to write excessively large files, potentially consuming all file system resources.

Impact

Exploitation of this vulnerability causes a denial-of-service by overwhelming the file system with large files, which can exhaust available storage resources.

Reproduction

To reproduce this vulnerability, send an HTTP PUT request with a Content-Length header that is smaller than the actual data being transmitted. The server will process the request, leading to an integer underflow that allows for the writing of a very large file. This can be done by first sending a packet that indicates a certain Content-Length, but without any data, followed by another packet that contains data exceeding that length. The server's HTTP PUT process will then misinterpret the packet sizes, causing the underflow.

Remediation

Users can upgrade to Eclipse ThreadX NetX Duo version 6.4.2 or later. Alternatively, HTTP PUT support can be disabled in the application.