BACnet Stack Out-of-Bounds Read Vulnerability in WritePropertyMultiple Decoder

An out-of-bounds read vulnerability has been identified in BACnet Stack versions 1.5.0.rc1 and 1.4.0 prior to 1.4.2. This vulnerability allows unauthenticated remote attackers to read beyond allocated buffer boundaries by sending a truncated WritePropertyMultiple (WPM) request. The issue arises because the WPM decoder calls a deprecated function that lacks proper bounds checking on the input buffer. As a result, a crafted BACnet/IP packet can cause the decoder to read 1 to 7 bytes past the end of the buffer, leading to crashes or information disclosure on embedded BACnet devices.

Impact

Exploitation of this vulnerability causes a stack buffer overflow, which can lead to a crash or unauthorized memory access, potentially disclosing sensitive information from adjacent memory.

Reproduction

The vulnerability can be reproduced by sending a BACnet/IP packet with a truncated property payload to a device running BACnet Stack with the WritePropertyMultiple service handler enabled. The WPM decoder will read out of bounds, causing a stack-buffer-overflow error.

Remediation

Users can upgrade to BACnet Stack versions 1.5.0 or 1.4.3, both of which include the necessary fix. Instructions for upgrading are available in the BACnet Stack repository.