BACnet Stack Off-by-One Out-of-Bounds Read Vulnerability in ReadPropertyMultiple Service

An off-by-one out-of-bounds read vulnerability has been identified in BACnet Stack versions 1.5.0.rc1 and 1.4.0 prior to 1.4.3. This vulnerability resides in the ReadPropertyMultiple service decoder, specifically within the 'rpm_decode_object_id()' function. The issue allows unauthenticated remote attackers to read one byte beyond an allocated buffer by sending a crafted ReadPropertyMultiple request with a truncated object identifier. The vulnerability occurs because the function checks if the APDU length is less than 5 but then accesses all 6 byte positions, leading to a crash on embedded BACnet devices. The vulnerability affects any deployment that enables the ReadPropertyMultiple confirmed service handler, which is enabled by default in the reference server.

Impact

Exploitation of this vulnerability causes a stack buffer overflow, leading to a crash of the affected BACnet device.

Reproduction

The vulnerability can be reproduced by sending a ReadPropertyMultiple request with a truncated object identifier that is 5 bytes long. This input will pass the length check but cause an out-of-bounds read by accessing the sixth byte, which is outside the allocated buffer. This can be done using a C program that calls the 'rpm_decode_object_id()' function with a 5-byte buffer containing a context tag and a 4-byte object ID.

Remediation

Users can upgrade to BACnet Stack versions 1.5.0 or 1.4.3, where this vulnerability has been fixed.