BACnet Stack Out-of-Bounds Read Vulnerability in ReadPropertyMultiple Decoder

An out-of-bounds read vulnerability has been identified in BACnet Stack versions 1.5.0.rc1 and 1.4.0-1.4.2. The issue arises in the ReadPropertyMultiple service property decoder, where unauthenticated remote attackers can send a request with a truncated property list. This exploitation allows reading past allocated buffer boundaries, leading to crashes on embedded BACnet devices. The vulnerability is caused by the rpm_decode_object_property() function calling the deprecated decode_tag_number_and_value() function, which lacks buffer length parameters and reads blindly from received pointers. A crafted BACnet/IP packet can trigger the out-of-bounds read by exploiting the extended tag marker.

Impact

Exploitation of this vulnerability causes a stack-buffer overflow, leading to a crash of the affected BACnet device.

Reproduction

The vulnerability can be reproduced by sending a BACnet/IP packet with a 1-byte property payload that includes the extended tag marker 0xF9. This can be done using a C program that calls the rpm_decode_object_property() function with the crafted payload, after compiling the program with AddressSanitizer to detect the out-of-bounds access.

Remediation

Users can update to BACnet Stack version 1.5.0 or 1.4.3, both of which include the necessary fix.