CVE-2021-21966

An unauthenticated attacker on the same network sends a crafted HTTP POST request to the target device's /ping.html endpoint. The request includes the parameter __SL_P_T.B set to 1472 (the maximum allowed packet size). The NWP's HTTP server processes the request without requiring authentication, as these embedded resources are accessible by default [ref_id=1]. The server constructs an ICMP ping reply whose payload contains uninitialized memory from the NWP's internal buffers, leaking sensitive data such as passwords, tokens, stack cookies, or memory addresses back to the attacker [ref_id=1].

The vulnerability resides in the HTTP server's /ping.html action handler within the CC3200 SimpleLink Network Processor (NWP) firmware version 2.9.0.0. The NWP's built-in HTTP server processes POST requests to /ping.html with parameters __SL_P_T.A (target IP), __SL_P_T.B (packet size), and __SL_P_T.C (ping count). The ICMP ping payload buffer is not fully initialized when the packet size parameter is set to the maximum value of 1472 bytes, causing uninitialized stack or heap data to be included in the response.

The advisory does not include a patch or specific remediation code. Texas Instruments was disclosed the vulnerability on 2021-10-21, and the advisory was publicly released on 2022-02-15 [ref_id=1]. No fix has been published in the available materials. The recommended mitigation would be for the vendor to ensure the ICMP ping payload buffer is fully zero-initialized before being populated with user-controlled data, preventing any uninitialized memory from being disclosed in the response.

Send the following curl command to the target device, replacing `