CVE-2024-50597 in X-CUBE-AZRT-H7RSinfo

Summary

by MITRE • 04/02/2025

An integer underflow vulnerability exists in the HTTP server PUT request functionality of STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.This vulnerability affects the NetX Duo Component HTTP Server implementation which can be found in x-cube-azrtos-f7\Middlewares\ST\netxduo\addons\http\nxd_http_server.c

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 09/05/2025

The integer underflow vulnerability identified in CVE-2024-50597 represents a critical flaw within the STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0 firmware suite, specifically within the NetX Duo Component HTTP Server implementation. This vulnerability resides in the x-cube-azrtos-f7\Middlewares\ST\etxduo\addons\http\xd_http_server.c source file, where the HTTP server's PUT request handling mechanism fails to properly validate integer values during packet processing. The flaw manifests when the server receives specially crafted network packets that manipulate integer parameters, leading to unexpected behavior in the underlying arithmetic operations. According to CWE-191, this vulnerability falls under integer underflow conditions where an operation attempts to subtract a value from an integer that results in a value below the minimum representable value for that integer type. The issue directly impacts the HTTP server's ability to process legitimate requests while simultaneously creating opportunities for malicious actors to disrupt service availability.

The operational impact of this vulnerability extends beyond simple denial of service conditions, as it creates a potential attack surface that adversaries can exploit to compromise system stability and availability. When an attacker crafts a malicious packet with manipulated integer values, the HTTP server's PUT request handler executes an integer underflow condition that can cause the server to crash or enter an undefined state. This behavior aligns with ATT&CK technique T1499.004, which describes network denial of service attacks targeting network infrastructure components. The vulnerability specifically affects the NetX Duo Component's HTTP server implementation, which serves as a critical communication interface for embedded systems utilizing STMicroelectronics' Azure RTOS wireless solutions. The integer underflow condition can result in memory corruption patterns that may lead to unpredictable system behavior, potentially allowing for more sophisticated exploitation attempts beyond simple service disruption.

Mitigation strategies for CVE-2024-50597 should prioritize immediate firmware updates from STMicroelectronics, as the vendor has likely addressed this vulnerability in subsequent releases of the X-CUBE-AZRTOS-WL middleware. Organizations should implement network segmentation and access controls to limit exposure to the affected HTTP server functionality, particularly in environments where wireless communication is critical. The vulnerability's nature suggests that input validation controls should be strengthened at the packet parsing layer to prevent integer underflow conditions before they can be exploited. Network monitoring solutions should be configured to detect anomalous HTTP PUT request patterns that may indicate exploitation attempts, while also implementing rate limiting mechanisms to prevent flood attacks targeting the vulnerable server component. Additionally, system administrators should conduct thorough vulnerability assessments of all embedded devices running affected firmware versions to identify potential attack vectors and ensure comprehensive security posture maintenance across the entire wireless infrastructure deployment.

Responsible

Talos

Reservation

10/25/2024

Disclosure

04/02/2025

Moderation

accepted

CPE

ready

EPSS

0.00707

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!