CVE-2024-50384 in X-CUBE-AZRT-H7RS
Summary
by MITRE • 04/02/2025
A denial of service vulnerability exists in the NetX Component HTTP server functionality of STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.This vulnerability affects X-CUBE-AZRTOS-F7 NetX Duo Web Component HTTP server v 1.1.0. This HTTP server implementation is contained in this file - x-cube-azrtos-f7\Middlewares\ST\netxduo\addons\web\nx_web_http_server.c
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/05/2025
This vulnerability resides within the NetX Duo Web Component HTTP server implementation of STMicroelectronics X-CUBE-AZRTOS-F7 version 1.1.0, specifically in the x_web_http_server.c file. The issue represents a denial of service condition that can be triggered through the manipulation of HTTP server functionality, making it a critical concern for embedded systems utilizing this middleware component. The vulnerability stems from inadequate input validation mechanisms within the HTTP server's packet processing logic, where maliciously crafted network packets can cause the server to become unresponsive or crash entirely.
The technical flaw manifests as a lack of proper boundary checking and validation of incoming HTTP request data structures. When the HTTP server processes malformed packets containing unexpected or oversized data fields, the system fails to properly handle these edge cases, leading to memory corruption or execution flow disruption. This type of vulnerability aligns with CWE-129, which addresses insufficient validation of length of input buffers, and CWE-121, concerning stack-based buffer overflow conditions. The attack vector requires minimal privileges as an attacker only needs network access to send malicious packets to the vulnerable system, making it particularly dangerous in networked embedded environments.
The operational impact of this vulnerability extends beyond simple service interruption, as it can compromise the reliability of critical embedded systems that depend on continuous HTTP server functionality. In industrial IoT applications, medical devices, or automotive systems where the X-CUBE-AZRTOS-F7 middleware is deployed, such a denial of service condition could lead to complete system unavailability, potentially resulting in safety hazards or operational failures. The vulnerability affects systems that implement the NetX Duo Web Component HTTP server, which is commonly used in STMicroelectronics' middleware stack for ARM Cortex-M processors. Attackers leveraging this vulnerability can exploit it through the standard network communication protocols, making it difficult to detect and prevent without proper network segmentation or intrusion detection measures.
Mitigation strategies should focus on immediate firmware updates from STMicroelectronics that address the input validation gaps in the HTTP server implementation. Organizations should also implement network-level protections such as firewalls with deep packet inspection capabilities to filter malformed HTTP requests before they reach the vulnerable server. Additionally, network segmentation can help limit the attack surface by isolating the affected components from critical network segments. The vulnerability demonstrates the importance of proper input validation in embedded systems and aligns with ATT&CK technique T1499.004, which covers network denial of service attacks. Security monitoring should include detection of unusual HTTP traffic patterns and potential buffer overflow indicators, while regular security assessments of middleware components should be conducted to identify similar vulnerabilities in the system architecture.