CVE-2021-21959

Vulnerability

The SeaConnect 370W (firmware v1.3.34) fails to validate TLS server certificates when establishing MQTTS connections. In the function GetConnected (offset 0x10446), the call to NetworkConnectTLS at offset 0x7A accepts a certificate_filename parameter; when set to NULL, no certificate validation is performed [1]. This misconfiguration is tracked as CWE-295 (Improper Certificate Validation).

Exploitation

An attacker with network access to the device can perform a man-in-the-middle attack by intercepting the MQTTS handshake and presenting a self-signed or forged certificate. The device will accept the connection without any warning, allowing the attacker to read and inject MQTT messages. No authentication or user interaction is required, though the attacker must be on the same network segment or be able to route traffic through them.

Impact

Successful exploitation gives the attacker the ability to fully control the device's functionality, including digital and analog I/O, relays, and the 1-wire bus. The CIA impact is: confidentiality low (exposure of MQTT payloads), integrity high (modification of commands), availability high (disruption of operations). The CVSSv3 score is 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H).

Mitigation

As of the publication date (February 2022), no firmware update or workaround has been released by Sealevel Systems to address this vulnerability. Users should monitor the vendor's advisory and restrict network access to the device to trusted segments only until a patch is available.