Talos Vulnerability Report

TALOS-2024-2097

STMicroelectronics X-CUBE-AZRTOS-F7 HTTP server denial of service vulnerability

April 2, 2025
CVE Number

CVE-2024-50384,CVE-2024-50385

SUMMARY

A denial of service vulnerability exists in the NetX Component HTTP server functionality of STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

STMicroelectronics X-CUBE-AZRT-H7RS 1.0.0
STMicroelectronics X-CUBE-AZRTOS-F7 1.1.0
STMicroelectronics X-CUBE-AZRTOS-F4 1.1.0
STMicroelectronics X-CUBE-AZRTOS-G0 1.1.0
STMicroelectronics X-CUBE-AZRTOS-G4 2.0.0
STMicroelectronics X-CUBE-AZRTOS-L4 2.0.0
STMicroelectronics X-CUBE-AZRTOS-L5 2.0.0
STMicroelectronics X-CUBE-AZRTOS-WB 2.0.0
STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0
STMicroelectronics X-CUBE-AZRTOS-H7 3.3.0

PRODUCT URLS

X-CUBE-AZRTOS-WL - https://www.st.com/en/embedded-software/x-cube-azrtos-wl.html X-CUBE-AZRT-H7RS - https://www.st.com/en/embedded-software/x-cube-azrt-h7rs.html X-CUBE-AZRTOS-F4 - https://www.st.com/en/embedded-software/x-cube-azrtos-f4.html X-CUBE-AZRTOS-F7 - https://www.st.com/en/embedded-software/x-cube-azrtos-f7.html X-CUBE-AZRTOS-G0 - https://www.st.com/en/embedded-software/x-cube-azrtos-g0.html X-CUBE-AZRTOS-G4 - https://www.st.com/en/embedded-software/x-cube-azrtos-g4.html X-CUBE-AZRTOS-H7 - https://www.st.com/en/embedded-software/x-cube-azrtos-h7.html X-CUBE-AZRTOS-L4 - https://www.st.com/en/embedded-software/x-cube-azrtos-l4.html X-CUBE-AZRTOS-L5 - https://www.st.com/en/embedded-software/x-cube-azrtos-l5.html X-CUBE-AZRTOS-WB - https://www.st.com/en/embedded-software/x-cube-azrtos-wb.html

CVSSv3 SCORE

6.5 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-459 - Incomplete Cleanup

DETAILS

X-CUBE-AZRTOS-F7 (Azure RTOS STM32Cube Expansion Package) offers comprehensive integration of Microsoft Azure RTOS within the STM32Cube environment for the STM32F7 series microcontrollers. This Expansion Package encompasses a range of Azure RTOS middleware components, including the RTOS (ThreadX), USB Host and Device (USBX), file system with support for NOR and NAND flash memories (FileX and LevelX), and networking capabilities that include Ethernet and WiFi media (NetX Duo).

While processing an HTTP PUT request, the HTTP server will create the requested file and open it for writing. If an error occurs after the file is opened, the file is not properly closed. After that, any subsequent HTTP requests involving a file resource will result in the server responding with a 404 file not found error. This vulnerability affects both HTTP server implementations within X-CUBE-AZRTOS-F7.

As you can see in the code below, when an error occurs after the file has been opened, the function _nx_web_http_server_put_process does not properly close the file. A malicious actor can cause this behavior by providing a Content-Length value that is larger than the data contained in the first packet and then fail to send any additional data. The larger Content-Length value will cause the code to attempt to receive an additional packet at [2]. When no additional data is received that call times out, and execution flow will enter the error condition at [3] which leads to an early return at [4] without calling fx_file_close.

File: x-cube-azrtos-f7\Middlewares\ST\netxduo\addons\web\nx_web_http_server.c
4099: VOID  _nx_web_http_server_put_process(NX_WEB_HTTP_SERVER *server_ptr, NX_PACKET *packet_ptr)
4100: {
...
4340:     /* Open the specified file for writing.  */
4341:     status =  fx_file_open(server_ptr -> nx_web_http_server_media_ptr, &(server_ptr -> nx_web_http_server_file), server_ptr -> nx_web_http_server_request_resource, FX_OPEN_FOR_WRITE);       /*[1]*/
...
4447:     /* If necessary, receive more packets from the TCP socket to complete the write request.  */
4448:     while (length || server_ptr -> nx_web_http_server_request_chunked)
4449:     {
4450: 
4451:         /* Wait for a request.  */
4452:         status = _nx_web_http_server_packet_get(server_ptr, &data_packet_ptr);    /*[2]*/
4453: 
4454:         /* Check the return status.  */
4455:         if (status != NX_SUCCESS)     /*[3]*/
4456:         {
4457: 
4458:             if (status == NX_WEB_HTTP_GET_DONE)
4459:             {
4460:                 break;
4461:             }
4462: 
4463:             /* Send response back to HTTP Client.  */
4464:             _nx_web_http_server_response_send(server_ptr, NX_WEB_HTTP_STATUS_INTERNAL_ERROR,
4465:                                               sizeof(NX_WEB_HTTP_STATUS_INTERNAL_ERROR) - 1,
4466:                                               "NetX HTTP Receive Timeout",
4467:                                               sizeof("NetX HTTP Receive Timeout") - 1, NX_NULL, 0);
4468: 
4469:             /* Error, return to caller.  */
4470:             return;   /*[4]*/
4471:         }

The NetX Component HTTP server implementation uses a single file pointer in it’s instance object. This same file pointer variable is used for processing each request. For example, when processing a subsequent GET request the file pointer server_ptr -> nx_http_server_file at [5] below is the same variable that was used above in _nx_web_http_server_put_process at [1]. Below is the code for processing a GET request.

File: x-cube-azrtos-f7\Middlewares\ST\netxduo\addons\web\nx_web_http_server.c
3556: VOID  _nx_web_http_server_get_process(NX_WEB_HTTP_SERVER *server_ptr, UINT request_type, NX_PACKET *packet_ptr)
3557: {
...
3884:     /* Open the specified file for reading.  */
3885:     status =  fx_file_open(server_ptr -> nx_web_http_server_media_ptr, &(server_ptr -> nx_web_http_server_file), server_ptr -> nx_web_http_server_request_resource, FX_OPEN_FOR_READ);    /*[5]*/

The function used to open a file _fxe_file_open checks if the provided file pointer is already open at [6] and will return an error rather than opening the requested file. Therefore any subsequent HTTP requests involving any file resource will result in the HTTP server responding with a 404 file not found error.

File: x-cube-azrtos-f7\Middlewares\ST\filex\common\src\fxe_file_open.c
78: UINT  _fxe_file_open(FX_MEDIA *media_ptr, FX_FILE *file_ptr, CHAR *file_name, UINT open_type, UINT file_control_block_size)
79: {
...
106:     /* Loop to search the list for the same file handle.  */
107:     current_file =  media_ptr -> fx_media_opened_file_list;
108:     open_count =    media_ptr -> fx_media_opened_file_count;
109: 
110:     while (open_count--)
111:     {
112: 
113:         /* See if a match exists.  */
114:         if (file_ptr == current_file)  /*[6]*/
115:         {
116: 
117:             /* Release protection.  */
118:             FX_UNPROTECT
119: 
120:             /* Return error.  */
121:             return(FX_PTR_ERROR);
122:         }
123: 
124:         /* Move to the next opened file.  */
125:         current_file =  current_file -> fx_file_opened_next;
126:     }

CVE-2024-50384 - NetX Duo Web Component HTTP Server

This vulnerability affects the NetX Duo Web Component HTTP Server implementation which can be found in x-cube-azrtos-f7\Middlewares\ST\netxduo\addons\web\nx_web_http_server.c

Mitigation

Developers can disable the processing of PUT requests by ending the processing of a PUT request in an application callback request notify function.

CVE-2024-50385 - NetX Duo Component HTTP Server

This vulnerability affects the NetX Duo Component HTTP Server implementation which can be found in x-cube-azrtos-f7\Middlewares\ST\netxduo\addons\http\nxd_http_server.c

Mitigation

Developers can disable the processing of PUT requests by ending the processing of a PUT request in an application callback request notify function.

TIMELINE

2024-11-04 - Vendor Disclosure
2025-03-27 - Vendor Patch Release
2025-04-02 - Public Release

Credit

Discovered by Kelly Patterson of Cisco Talos.

TALOS-2024-2103

TALOS-2024-2096