Skip to content

Eclipse ThreadX NetX Duo HTTP server denial of service vulnerability (TALOS-2024-2098)

Moderate
mrybczyn published GHSA-pwf8-5q9w-m763 Feb 21, 2025

Package

NetX Duo (Eclipse ThreadX)

Affected versions

<= 6.4.1

Patched versions

6.4.2

Description

Summary

A denial of service vulnerability exists in the NetX HTTP server functionality of Eclipse ThreadX NetX Duo git commit 6c8e9d1. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.

Users interested in the fix for this issue should likely also apply the fix for GHSA-f42f-6fvv-xqx3 (CVE-2025-2260)

Confirmed Vulnerable Versions

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Eclipse ThreadX NetX Duo git commit 6c8e9d1

Product URLs

Eclipse ThreadX NetX Duo - https://github.com/eclipse-threadx/netxduo

Details

Eclipse ThreadX NetX Duo is an industrial-grade TCP/IP network stack tailored specifically for deeply embedded real-time and IoT applications. Eclipse ThreadX NetX Duo offers a dual network stack supporting both IPv4 and IPv6

While processing an HTTP PUT request, the HTTP server will create the requested file and open it for writing. If an error occurs after the file is opened, the file is not properly closed. After that, any subsequent HTTP requests involving a file resource will result in the server responding with a 404 file not found error. This vulnerability affects both HTTP server implementations within NetX Duo.

As you can see in the code below, when an error occurs after the file has been opened, the function _nx_web_http_server_put_process does not properly close the file. A malicious actor can cause this behavior by providing a Content-Length value that is larger than the data contained in the first packet and then fail to send any additional data. The larger Content-Length value will cause the code to attempt to receive an additional packet at [2]. When no additional data is received that call times out, and execution flow will enter the error condition at [3] which leads to an early return at [4] without calling fx_file_close.

File: netxduo\addons\web\nx_web_http_server.c
4213: VOID  _nx_web_http_server_put_process(NX_WEB_HTTP_SERVER *server_ptr, NX_PACKET *packet_ptr)
4214: {
...
4454:     /* Open the specified file for writing.  */
4455:     status =  fx_file_open(server_ptr -> nx_web_http_server_media_ptr, &(server_ptr -> nx_web_http_server_file), server_ptr -> nx_web_http_server_request_resource, FX_OPEN_FOR_WRITE);   /*[1]*/
...
4561:     /* If necessary, receive more packets from the TCP socket to complete the write request.  */
4562:     while (length || server_ptr -> nx_web_http_server_request_chunked)
4563:     {
4564: 
4565:         /* Wait for a request.  */
4566:         status = _nx_web_http_server_packet_get(server_ptr, &data_packet_ptr);    /*[2]*/
4567: 
4568:         /* Check the return status.  */
4569:         if (status != NX_SUCCESS)     /*[3]*/
4570:         {
4571: 
4572:             if (status == NX_WEB_HTTP_GET_DONE)
4573:             {
4574:                 break;
4575:             }
4576: 
4577:             /* Send response back to HTTP Client.  */
4578:             _nx_web_http_server_response_send(server_ptr, NX_WEB_HTTP_STATUS_INTERNAL_ERROR,
4579:                                               sizeof(NX_WEB_HTTP_STATUS_INTERNAL_ERROR) - 1,
4580:                                               "NetX HTTP Receive Timeout",
4581:                                               sizeof("NetX HTTP Receive Timeout") - 1, NX_NULL, 0);
4582: 
4583:             /* Error, return to caller.  */
4584:             return;   /*[4]*/
4585:         }

The NetX Component HTTP server implementation uses a single file pointer in it's instance object. This same file pointer variable is used for processing each request. For example, when processing a subsequent GET request the file pointer server_ptr -> nx_http_server_file at [5] below is the same variable that was used above in _nx_web_http_server_put_process at [1]. Below is the code for processing a GET request.

File: netxduo\addons\web\nx_web_http_server.c
3670: VOID  _nx_web_http_server_get_process(NX_WEB_HTTP_SERVER *server_ptr, UINT request_type, NX_PACKET *packet_ptr)
3671: {
...
3998:     /* Open the specified file for reading.  */
3999:     status =  fx_file_open(server_ptr -> nx_web_http_server_media_ptr, &(server_ptr -> nx_web_http_server_file), server_ptr -> nx_web_http_server_request_resource, FX_OPEN_FOR_READ);    /*[5]*/

The function used to open a file _fxe_file_open checks if the provided file pointer is already open at [6] and will return an error rather than opening the requested file. Therefore any subsequent HTTP requests involving any file resource will result in the HTTP server responding with a 404 file not found error.

File: filex\common\src\fxe_file_open.c
77: UINT  _fxe_file_open(FX_MEDIA *media_ptr, FX_FILE *file_ptr, CHAR *file_name, UINT open_type, UINT file_control_block_size)
78: {
...
103:     /* Check for a duplicate file open.  */
104: 
105:     /* Loop to search the list for the same file handle.  */
106:     current_file =  media_ptr -> fx_media_opened_file_list;
107:     open_count =    media_ptr -> fx_media_opened_file_count;
108: 
109:     while (open_count--)
110:     {
111: 
112:         /* See if a match exists.  */
113:         if (file_ptr == current_file)      /*[6]*/
114:         {
115: 
116:             /* Release protection.  */
117:             FX_UNPROTECT
118: 
119:             /* Return error.  */
120:             return(FX_PTR_ERROR);
121:         }
122: 
123:         /* Move to the next opened file.  */
124:         current_file =  current_file -> fx_file_opened_next;
125:     }

NetX Duo Web Component HTTP server

This vulnerability affects the NetX Duo Web Component HTTP Server implementation which can be found in netxduo\addons\web\nx_web_http_server.c

Mitigation

Developers can disable the processing of PUT requests by ending the processing of a PUT request in an application callback request notify function.

NetX Duo Component HTTP server

This vulnerability affects the NetX Duo Component HTTP Server implementation which can be found in netxduo\addons\http\nxd_http_server.c

Mitigation

Developers can disable the processing of PUT requests by ending the processing of a PUT request in an application callback request notify function.

Credit

Discovered by Kelly Patterson of Cisco Talos.

https://talosintelligence.com/vulnerability_reports/

Timeline

2025-01-22 - Public Release

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2025-0726

Weaknesses

Incomplete Cleanup

The product does not properly clean up and remove temporary or supporting resources after they have been used. Learn more on MITRE.