A heap-based buffer overflow vulnerability exists in the HTTP Server functionality of Weston Embedded uC-HTTP git commit 80d4004. A specially crafted network packet can lead to arbitrary code execution. An attacker can send a malicious packet to trigger this vulnerability.
An attacker sends a specially crafted network packet to an HTTP server based on the uC-HTTP library. This packet causes a heap-based buffer overflow, which corresponds to CWE-122 and CWE-787 classifications (write out of buffer bounds). Exploiting this vulnerability can lead to hijacking the program execution flow and running arbitrary code on the vulnerable device.
An attacker can remotely execute arbitrary code (RCE) on a vulnerable device without any prior privileges, which in practice means complete takeover of the system, and in the case of IoT/embedded devices — also control over the supported physical infrastructure.
Patches available from the manufacturer should be applied according to the references (Cisco Talos TALOS-2023-1843). It is also recommended to restrict network access to devices using the uC-HTTP library through firewall or network segmentation until the patch is deployed.
Weston Embedded uC-HTTP (commit 80d4004) and Silabs Gecko Software Development Kit containing this library; specific versions indicated in manufacturer references.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HSilabs Gecko Software Development Kit
APPSilabs4.3.2.0Weston Embedded Uc Http
APPWeston-Embeddedwszystkie wersje
Related vulnerabilities
Silabs Gecko SDK: dostęp do pamięci TrustZone z niezaufanego regionu
Błąd walidacji wejścia w TrustZone SDK Silicon Labs — dostęp do pamięci bezpiecznej
A heap-based buffer overflow vulnerability exists in the HTTP Server form boundary functionality of Weston Emb...
A memory corruption vulnerability exists in the HTTP Server form boundary functionality of Weston Embedded uC-...
A heap-based buffer overflow vulnerability exists in the HTTP Server functionality of Weston Embedded uC-HTTP ...