📄 Description (English)
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service property decoder allows unauthenticated remote attackers to read past allocated buffer boundaries by sending an RPM request with a truncated property list. The vulnerability stems from rpm_decode_object_property() calling the deprecated decode_tag_number_and_value() function at src/bacnet/rpm.c:344, which accepts no buffer length parameter and reads blindly from whatever pointer it receives. A crafted BACnet/IP packet with a 1-byte property payload containing an extended tag marker (0xF9) causes the decoder to read 1 byte past the end of the buffer, leading to crashes on embedded BACnet devices. The vulnerability exists in src/bacnet/rpm.c and affects any deployment that enables the ReadPropertyMultiple confirmed service handler (enabled by default in the reference server). This vulnerability is fixed in 1.4.3.
🤖 AI Executive Summary
CVE-2026-41503 is a critical out-of-bounds read vulnerability in BACnet Stack versions prior to 1.4.3 that allows unauthenticated remote attackers to crash BACnet/IP devices by sending malformed ReadPropertyMultiple requests. The vulnerability stems from unsafe buffer handling in the rpm_decode_object_property() function, which reads past allocated boundaries when processing truncated property lists. This poses significant risk to Saudi Arabia's critical infrastructure, particularly in building automation, energy management, and industrial control systems that rely on BACnet protocols.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 1, 2026 23:32
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability directly impacts Saudi Arabia's critical infrastructure sectors: (1) Energy Sector - ARAMCO and regional power utilities using BACnet for SCADA and building management systems face potential denial of service; (2) Government Buildings - NCA-regulated facilities with BACnet-enabled HVAC and security systems could experience operational disruptions; (3) Healthcare - Hospitals and medical facilities relying on BACnet for environmental controls and patient monitoring systems; (4) Telecommunications - STC and other telecom operators using BACnet in data centers and network facilities; (5) Banking/Financial - SAMA-regulated institutions with BACnet-enabled building automation in critical facilities. The unauthenticated nature and default-enabled service handler make this particularly dangerous for legacy systems prevalent in Saudi industrial and government deployments.
🏢 Affected Saudi Sectors
Energy & Utilities (ARAMCO, regional power utilities)
Government & Critical Infrastructure (NCA-regulated facilities)
Healthcare (hospitals, medical facilities)
Telecommunications (STC, data centers)
Banking & Financial Services (SAMA-regulated institutions)
Manufacturing & Industrial Control Systems
Building Automation & Facilities Management
🎯 MITRE ATT&CK Techniques
T1499 - Endpoint Denial of Service (DoS via malformed BACnet packets)
T1190 - Exploit Public-Facing Application (BACnet/IP service)
T1040 - Traffic Redirection (network-level BACnet interception)
T1557 - Man-in-the-Middle (potential for BACnet packet injection)
T1046 - Network Service Discovery (BACnet device enumeration)
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all BACnet Stack deployments in your organization using version detection tools and network scanning
2. Isolate affected BACnet devices from untrusted networks immediately using network segmentation
3. Implement network-level access controls restricting BACnet/IP traffic (port 47808) to authorized sources only
4. Enable BACnet packet inspection and logging to detect exploitation attempts
PATCHING GUIDANCE:
1. Upgrade BACnet Stack to version 1.4.3 or later as soon as available
2. For systems unable to patch immediately, disable the ReadPropertyMultiple confirmed service handler if operationally feasible
3. Recompile and redeploy affected embedded systems with patched libraries
4. Coordinate with device manufacturers for firmware updates incorporating the patched stack
COMPENSATING CONTROLS (if patching delayed):
1. Deploy BACnet protocol firewall/gateway with deep packet inspection to validate ReadPropertyMultiple requests
2. Implement rate limiting on BACnet/IP connections to mitigate DoS impact
3. Monitor for malformed BACnet packets with truncated property lists (property count mismatch)
4. Establish network segmentation with DMZ for BACnet devices
DETECTION RULES:
1. Alert on BACnet/IP packets with ReadPropertyMultiple service (0x0E) containing property payloads <4 bytes
2. Monitor for packets with extended tag marker (0xF9) in property decoder context
3. Track BACnet device crashes/reboots correlated with malformed RPM requests
4. Log all BACnet/IP traffic from external networks for forensic analysis
5. Implement IDS signatures detecting truncated BACnet property lists in RPM requests
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نشرات BACnet Stack في مؤسستك باستخدام أدوات الكشف عن الإصدارات والمسح الشبكي
2. عزل أجهزة BACnet المتأثرة عن الشبكات غير الموثوقة فوراً باستخدام تقسيم الشبكة
3. تنفيذ عناصر تحكم الوصول على مستوى الشبكة تقيد حركة BACnet/IP (المنفذ 47808) للمصادر المصرح بها فقط
4. تفعيل فحص وتسجيل حزم BACnet للكشف عن محاولات الاستغلال
إرشادات التصحيح:
1. ترقية BACnet Stack إلى الإصدار 1.4.3 أو أحدث عند توفره
2. بالنسبة للأنظمة غير القادرة على التصحيح فوراً، قم بتعطيل معالج خدمة ReadPropertyMultiple المؤكد إن أمكن تشغيلياً
3. إعادة تجميع ونشر الأنظمة المدمجة المتأثرة باستخدام مكتبات معدلة
4. التنسيق مع مصنعي الأجهزة للحصول على تحديثات البرامج الثابتة التي تتضمن المكتبة المعدلة
عناصر التحكم البديلة (إذا تأخر التصحيح):
1. نشر جدار حماية/بوابة بروتوكول BACnet مع فحص عميق للحزم للتحقق من صحة طلبات ReadPropertyMultiple
2. تنفيذ تحديد معدل الاتصالات على اتصالات BACnet/IP للتخفيف من تأثير الحرمان من الخدمة
3. مراقبة حزم BACnet/IP المشوهة مع قوائم خصائص مقطوعة (عدم تطابق عدد الخصائص)
4. إنشاء تقسيم شبكة مع DMZ لأجهزة BACnet
قواعد الكشف:
1. تنبيه على حزم BACnet/IP مع خدمة ReadPropertyMultiple (0x0E) تحتوي على حمولات خصائص <4 بايتات
2. مراقبة الحزم التي تحتوي على علامة الوسم الممتدة (0xF9) في سياق فك التشفير
3. تتبع أعطال/إعادة تشغيل أجهزة BACnet المرتبطة بطلبات RPM معيبة
4. تسجيل جميع حركة BACnet/IP من الشبكات الخارجية للتحليل الجنائي
5. تنفيذ توقيعات IDS للكشف عن قوائم خصائص BACnet المقطوعة في طلبات RPM
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.1.1 - Access control for critical infrastructure systems
ECC 2024 A.12.6.1 - Management of technical vulnerabilities in operational technology
ECC 2024 A.14.2.1 - Secure development and change management for critical systems
ECC 2024 A.16.1.5 - Incident response for critical infrastructure disruptions
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Asset management and inventory of critical systems
SAMA CSF PR.DS-6 - Data and system integrity monitoring
SAMA CSF DE.CM-1 - Detection and analysis of anomalous activity
SAMA CSF RS.MI-1 - Incident mitigation and containment procedures
🟡 ISO 27001:2022
ISO 27001:2022 A.5.23 - Information security for supplier relationships
ISO 27001:2022 A.8.1 - Screening and vetting of personnel with access to critical systems
ISO 27001:2022 A.12.2.1 - Configuration management for critical infrastructure
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
Not directly applicable - BACnet is operational technology, not payment systems. However, if BACnet systems control access to payment processing facilities, PCI DSF 1.1 (network segmentation) applies
🔗 References & Sources 2
🔗
https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-5w2v-mwqj-pr2c
security-advisories@github.com
Vendor Advisory
Exploit
Mitigation
🔗
https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-5w2v-mwqj-pr2c
134c704f-9b21-4f2e-91b3-4a467353bcc0
Vendor Advisory
Exploit
Mitigation
📦 Affected Products / CPE 2 entries
bacnetstack:bacnet_stack
bacnetstack:bacnet_stack:1.5.0