CVE-2020-24573

Vulnerability

The eibPort V3 devices running firmware version 3.8.2 and earlier use lighttpd version 1.4.31, which is vulnerable to CWE-400 Uncontrolled Resource Consumption [1]. Sending a crafted HTTP request with a malformed Connection header (e.g., Connection: TC,,Keep-Alive) triggers high CPU usage, rendering the device unresponsive.

Exploitation

An unauthenticated attacker with network access to the web interface can exploit this by sending a single malformed HTTP GET request with a crafted Connection header [1]. The request causes lighttpd to enter a high CPU loop (99% usage), and a simple restart of the lighttpd process may not suffice; a full reboot is required to recover.

Impact

Successful exploitation results in a denial of service condition where the eibPort becomes unresponsive, impacting all services including building automation control. This is a network-based attack with no authentication required, and the impact is high availability loss, with no effect on confidentiality or integrity.

Mitigation

The vendor released firmware version 3.8.3 in November 2020, which updates lighttpd to version 1.4.55, fixing the vulnerability [1]. Users should upgrade to version 3.8.3 or later. No workaround is mentioned in the reference.