Overview
CVE-2020-36872 describes a remote denial-of-service (DoS) vulnerability affecting BACnet Test Server versions up to and including 1.01. This vulnerability resides in the application’s handling of BACnet/IP BVLC packets. By sending a specially crafted UDP BVLC frame with a malformed BVLC Length field, an unauthenticated attacker can trigger an access violation, causing the server application to crash and resulting in a DoS condition. This can disrupt or completely halt BACnet testing procedures.
Technical Details
The BACnet Test Server software listens for incoming UDP BVLC frames on the default BACnet port (47808/udp). The core of the vulnerability lies in the insufficient validation of the BVLC Length field within these frames. A malicious actor can craft a packet where the BVLC Length field contains an invalid value (e.g., a value that is too large or negative). When the server attempts to process this packet based on the malformed length, it leads to an access violation and subsequent crash. This is because the server attempts to read from or write to a memory location outside of the allocated buffer, which the OS will kill.
CVSS Analysis
Due to the nature of available information, a proper CVSS score isn’t provided by NVD, but a CVSS score can be created to fit the conditions:
- CVSS Base Score: (To be calculated)
Since the vulnerability results in a Denial of Service against a network service with no Authentication required it is likely HIGH Severity. A suggested CVSS v3.x vector string and score:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Score: 7.5 (High)
Possible Impact
A successful exploit of CVE-2020-36872 can have the following impacts:
- Denial of Service: The primary impact is a denial-of-service condition, rendering the BACnet Test Server unavailable.
- Disrupted Testing: This DoS can significantly disrupt or halt BACnet testing activities, impacting product development and certification processes.
- Potential Secondary Attacks: While the reported vulnerability leads to a crash, the initial access violation could potentially be chained with other vulnerabilities to achieve more severe consequences, although this is not explicitly stated in the existing vulnerability reports.
Mitigation or Patch Steps
To mitigate the risk associated with CVE-2020-36872, the following steps should be taken:
- Upgrade BACnet Test Server: Upgrade to a version of BACnet Test Server that includes a fix for this vulnerability. Check the BACnet Test Server website for available updates.
- Network Segmentation: Isolate the BACnet Test Server on a separate network segment to limit the potential impact of a successful exploit.
- Intrusion Detection/Prevention Systems (IDS/IPS): Implement IDS/IPS rules to detect and block malicious BVLC packets targeting the BACnet Test Server.
- Input Validation: Ensure that all BACnet/IP BVLC packets are properly validated, including the BVLC Length field, to prevent access violations. (This is a recommendation for the vendor to prevent future vulnerabilities.)
