Jan 27, 2021

Kelly Leuschner of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered two vulnerabilities in Micrium uc-HTTP’s HTTP server that could cause denial-of-service conditions. An attacker could trigger these vulnerabilities by targeting the user machine with specially crafted HTTP requests. The uC-HTTP server implementation is designed to be used on embedded systems running the µC/OS II or µC/OS III RTOS kernels. This HTTP server supports many features, including persistent connections, form processing, chunked transfer encoding, HTTP header fields processing, HTTP query string processing and dynamic content. In accordance with our coordinated disclosure policy, Cisco Talos worked with Micrium to disclose these vulnerabilities and ensure that an update is available. Vulnerability details Micrium uC-HTTP HTTP Server unchecked return value denial-of-service vulnerability (TALOS-2020-1193/CVE-2020-13582) A denial-of-service vulnerability exists in the HTTP Server functionality of Micrium uC-HTTP 3.01.00. A specially crafted HTTP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability. Read the complete vulnerability advisory here for additional information. Micrium uC-HTTP HTTP Server null pointer dereference denial-of-service vulnerability (TALOS-2020-1194/CVE-2020-13583) A denial-of-service vulnerability exists in the HTTP Server functionality of Micrium uC-HTTP 3.01.00. A specially crafted HTTP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability. Read the complete vulnerability advisory here for additional information. Versions tested