Distech Controls SOLSTYCE DALI Gateway MQX RTOS DHCP and UDP Vulnerabilities

Risk Category: High                                                                          Document ID: SCYD-05-10032023
                                                                                                              Version: 1.0
                                                                                                            Document Status: Final

CVSS v3.1 Score: 9.1
CVSS Vectors:

1. cvss:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.1 – UPD 1)

2. cvss:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 – UDP 2)

3. cvss:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1 – DHCP)

CVE ID: CVE-2017-12718
CWE: CWE-119, CWE-120

Description:

Distech Controls SOLSTYCE DALI Gateway devices are impacted by multiple vulnerabilities within the TCP/IP Stack and DHCP Client utilized by impacted devices. An unauthenticated, remote attacker who can send unsolicited UDP packets to the BACnet or management interfaces or inject themselves into the network path of impacted devices and respond to a DHCP request from an impacted device could trigger a buffer overflow condition, allowing the attacker to execute arbitrary code with elevated privileges or trigger a denial-of-service condition.

The first UDP vulnerability is due to a failure within the MQX TCP/IP Stack when processing malicious UDP Frames sent to an impacted device. The impacted component is part of the underlying MQX operating system utilized by SOLSTYCE devices.

The second UPD vulnerability is due to a failure to properly handle a high rate of UDP packets destined for an impacted device. The impacted component is part of the underlying MQX operating system utilized by SOLSTYCE devices.

The DHCP vulnerability is due to a failure by the MQX RTOS DHCP Client to properly handle malicious DHCP options when included as part of a valid DHCP response. The impacted component is part of the underlying MQX operating system utilized by SOLSTYCE devices.

Updated software and mitigations are available to resolve this issue.

Impacted Versions:

Distech Controls SOLSTYCE Gateway SCY-1DALI or SCY-2DALI devices running software prior to version 1.0.4.0 are impacted.

Acuity nLight nPS 80 DALI interface modules are not affected.

Resolution:

Update software versions to 1.0.4.0 or later

Administrators may mitigate the DHCP vulnerability by disabling DHCP functionality and assigning a Static IP Address to impacted devices.

Fixed Software:

Version 1.0.4.0 or later

Attribution:

The issues were identified by the Acuity partner that provides the SOLSTYCE DALI Gateway devices.

Acuity Brands knows of no exploitation of these vulnerabilities.

History:

10/3/2023 – Initial Release

LEGAL DISCLAIMER:

THIS CONTENT IS PROVIDED ON AN "AS IS" BASIS FOR INFORMATIONAL PURPOSES ONLY AND IS PROVIDED WITHOUT ANY WARRANTY OF ANY KIND. THE CONTENT IS INTENDED FOR USERS OF ACUITY BRANDS PRODUCTS WHO POSSESS THE PROFESSIONAL SKILLS AND JUDGMENT NECESSARY TO INTERPRET THE INFORMATION AND DETERMINE THE APPROPRIATE STEPS TO TAKE. USE OF THE INFORMATION IS AT THE USER'S OWN RISK. THE AUTHOR RESERVES THE RIGHT TO UPDATE OR DELETE THIS CONTENT AT ANY TIME.