ABB Cylon BACnet MS/TP Kernel Module (mstp.ko) Out-of-Bounds Write in SendFrame()

Title: ABB Cylon BACnet MS/TP Kernel Module (mstp.ko) Out-of-Bounds Write in SendFrame()
Advisory ID: ZSL-2025-5953
Type: Local
Impact: System Access, DoS, Privilege Escalation
Risk: (5/5)
Release Date: 22.05.2025

Summary

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

BACnet Smart Building Controllers. ABB’s BACnet portfolio features a series of BACnet IP and BACnet MS/TP field controllers for ASPECT and INTEGRA building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It’s scalable, and modular, allowing you to control a diverse range of HVAC functions.

Committee: BACnet.org

InFaq:
A BACnet router is a device that passes a message from one network to another without changing the form or content of the message. This kind of device is used to interconnect BACnet networks that have different media (Ethernet, MS/TP over twisted pair, etc.). It is a simple device that just routes BACnet messages where they need to go, without decoding or altering them. A BACnet gateway is a more complex device that is used to interconnect a BACnet network with a non-BACnet network (such as Modbus or KNX). A gateway must decode messages on each network and reformat or translate the information to meet the requirements of the other network to route messages where they need to go. Gateways generally require more configuration, commissioning and maintenance effort than a router, as well as being more costly.

License: GPL
Author: Muiz M. Haider
Description: BACnet MS/TP Serial Line Discipline
:: Master-Slave / Token Passing ::

Description

A buffer overflow vulnerability exists in the mstp.ko kernel module, responsible for processing BACnet MS/TP frames over serial (RS485). The SendFrame() function writes directly into a statically sized kernel buffer (alloc_entry(0x1f5)) without validating the length of attacker-controlled data (param_5). If an MS/TP frame contains a crafted payload exceeding 492 bytes, the function performs out-of-bounds writes beyond the allocated 501-byte buffer, corrupting kernel memory. This flaw allows local or physically connected attackers to trigger denial-of-service or achieve remote code execution in kernel space. Tested against version 3.08.03 with a custom BACnet frame over /dev/ttyS0.

mstp.KOrruption: Kernel Frame Overflow in BACnet MS/TP Module - Memory corruption in embedded RS485 stack.

Vendor

ABB Ltd. - https://www.global.abb

Affected Version

<=3.08.03

Tested On

GNU/Linux Kernel 5.4.27
GNU/Linux Kernel 4.15.13
GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel® Atom™ Processor E3930 @ 1.30GHz
Intel® Xeon® Silver 4208 CPU @ 2.10GHz

Vendor Status

[21.04.2024] Vulnerability discovered.
[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[21.05.2025] No response from the vendor.
[22.05.2025] Public security advisory released.

PoC

mstp.KOrruption.c

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] https://packetstorm.news/files/id/194982/

Changelog

[22.05.2025] - Initial release
[26.05.2025] - Added reference [1]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: [email protected]