FT-SA-2025-02

Security Advisory – Null Pointer Dereference in FieldTalk Modbus Slave Library for .NET

Advisory ID: FT-SA-2025-02
Product: FieldTalk Modbus Slave Library for .NET
Version(s) Affected: 2.5.0 through 2.7.3
Vendor: proconX Pty Ltd
Severity: Medium (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CWE: CWE-476 (NULL Pointer Dereference)
Date Published: 2025-03-01
Last Updated: 2025-03-01


Overview

A vulnerability has been identified in the FieldTalk Modbus Slave Library for .NET versions 2.5.0 through 2.7.3. The issue arises from a null pointer dereference triggered by certain Modbus requests. This vulnerability can lead to an access violation on Windows or a segmentation fault on Linux, resulting in a denial-of-service (DoS) condition.

This is the same underlying defect described in FT-SA-2025-01, which affects the native library shared by the FieldTalk Modbus Slave C++ Library. The FieldTalk Modbus Slave Library for .NET wraps this same native code and is therefore independently affected.


Vulnerability Details

Vulnerability Type: Null Pointer Dereference
CWE ID: CWE-476 (NULL Pointer Dereference)

This issue occurs when a Modbus master device sends a specially crafted request to the FieldTalk Modbus Slave Library for .NET over the Modbus RTU or ASCII protocol. The malformed request causes the underlying native library to dereference a null pointer, leading to an access violation (on Windows) or a segmentation fault (on Linux).

Impact:

  • Windows: Access violation
  • Linux: Segmentation fault
  • Effect: Denial-of-Service (DoS)

An attacker who can send Modbus requests to the vulnerable system can cause a crash, rendering the system unavailable.


CVSS v3.1 Vector

  • CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Explanation of CVSS:

  • AV:L (Attack Vector: Local) – Requires physical access or a connected serial device.
  • AC:L (Attack Complexity: Low) – A simple Modbus request can trigger the issue.
  • PR:N (Privileges Required: None) – Any serial-connected Modbus master can trigger it.
  • UI:N (User Interaction: None) – No user action required.
  • S:U (Scope: Unchanged) – The impact remains confined to the affected system.
  • C:N/I:N/A:H – No data is leaked (Confidentiality = None), no unauthorized modification (Integrity = None), but Availability is High because it crashes the system.

Affected Versions

The following versions are affected by this vulnerability:

  • FieldTalk Modbus Slave Library for .NET: 2.5.0 through 2.7.3

Solution / Mitigation

Upgrade to FieldTalk Modbus Slave Library for .NET version 2.8.0 or later.

Version 2.7.4, which also contains the fix, was an internal build and was not publicly released — customers should upgrade to 2.8.0 or later.

If an upgrade is not immediately possible, contact the vendor for guidance on applying the fix to your source code.


Workaround

No workaround is available other than upgrading to a fixed version.


Steps to Reproduce

  1. Set up a Modbus slave using FieldTalk Modbus Slave Library for .NET version 2.5.0 through 2.7.3.
  2. Instruct a Modbus master device to send a crafted Modbus request over the Modbus RTU or ASCII protocol.
  3. Observe that the system crashes with an access violation (on Windows) or segmentation fault (on Linux).

Timeline

  • 2019-07-11: Fix implemented (internal commit 3b1005c, "Fixed crash when receiving broadcasts").
  • 2019-10-31: Fix included in version 2.7.4, an internal build that was not publicly released.
  • 2021-04-02: Fix included in FieldTalk Modbus Slave Library for .NET version 2.8.0, the first public release containing the fix.
  • 2025-03-01: Issue identified as a security-relevant defect during internal review, assessed against CVSS, and this advisory drafted and published.

References

  • Internal fix commit: 3b1005c (2019-07-11)
  • Related advisory: FT-SA-2025-01 (FieldTalk Modbus Slave C++ Library)
  • No CVE has been requested for this issue.

Credits

This vulnerability was identified internally by proconX during a routine security review; it was not externally reported.


Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. proconX Pty Ltd does not assume any responsibility for the impact of this vulnerability or the actions taken by users to address it. Users are advised to take appropriate precautions based on their own security requirements.