CVE-2024-50594 in X-CUBE-AZRT-H7RSinfo

Summary

by MITRE • 04/02/2025

An integer underflow vulnerability exists in the HTTP server PUT request functionality of STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0. A specially crafted series of network requests can lead to denial of service. An attacker can send a sequence of malicious packets to trigger this vulnerability.This vulnerability affects the NetX Duo Web Component HTTP Server implementation which can be found in x-cube-azrtos-f7\Middlewares\ST\netxduo\addons\web\nx_web_http_server.c

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/05/2025

The integer underflow vulnerability identified in CVE-2024-50594 represents a critical flaw within the STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0 software stack, specifically within the NetX Duo Web Component HTTP Server implementation. This vulnerability manifests in the PUT request handling functionality and operates at the intersection of network protocol processing and memory management. The affected component resides within the x-cube-azrtos-f7\Middlewares\ST\etxduo\addons\web directory structure, specifically in the x_web_http_server.c source file. The vulnerability stems from inadequate input validation and boundary checking mechanisms that fail to properly handle integer overflow conditions during HTTP PUT request processing, creating a scenario where legitimate network operations can be exploited to disrupt system functionality.

The technical exploitation of this vulnerability occurs when an attacker crafts malicious network packets that manipulate integer values within the HTTP server's request processing pipeline. When the server attempts to process a PUT request with specifically crafted parameters, the integer underflow condition causes unexpected behavior in memory allocation or buffer management routines. This flaw falls under the CWE-191 Integer Underflow (Wrap) category, which specifically addresses situations where integer operations result in values that wrap around to extremely small or negative numbers, potentially leading to buffer overflows or memory corruption. The vulnerability demonstrates a classic example of how improper integer arithmetic handling can create exploitable conditions in embedded network systems, particularly those designed for resource-constrained environments.

The operational impact of this vulnerability extends beyond simple denial of service, potentially compromising the overall stability and availability of systems relying on the affected STMicroelectronics software stack. An attacker exploiting this vulnerability can systematically disrupt HTTP server operations by sending carefully constructed sequences of network requests that trigger the integer underflow condition repeatedly. This creates a persistent denial of service scenario that can affect web-based management interfaces, remote configuration capabilities, or any application relying on the affected HTTP server implementation. The vulnerability's impact is particularly concerning in embedded IoT and industrial control systems where such denial of service conditions can lead to operational disruptions or compromise the availability of critical infrastructure components. The attack vector requires only network access to the affected system, making it particularly dangerous in environments where physical security measures may be inadequate.

Mitigation strategies for this vulnerability should focus on implementing robust input validation and integer boundary checking within the affected HTTP server implementation. System administrators should prioritize updating to patched versions of the STMicroelectronics X-CUBE-AZRTOS-WL software stack, as provided by the vendor, to address the underlying integer underflow condition. Network-level protections including firewall rules and access control lists can help limit exposure by restricting access to the affected HTTP server endpoints. Additionally, implementing intrusion detection systems that monitor for anomalous HTTP PUT request patterns may help identify exploitation attempts. The vulnerability's classification under CWE-191 emphasizes the need for developers to implement comprehensive integer overflow protection mechanisms, including proper validation of input parameters and implementation of safe arithmetic operations. Organizations should also consider implementing network segmentation to isolate systems running the affected software and establish monitoring protocols that can detect service disruption patterns consistent with this type of denial of service attack, aligning with defensive strategies recommended in the MITRE ATT&CK framework for network service disruption techniques.

Responsible

Talos

Reservation

10/25/2024

Disclosure

04/02/2025

Moderation

accepted

CPE

ready

EPSS

0.00707

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!