CVE-2021-21960

Vulnerability

A stack-based buffer overflow vulnerability exists in the LLMNR functionality of the Sealevel Systems, Inc. SeaConnect 370W, version 1.3.34. The device, built on a TI CC3200 MCU, provides network services including LLMNR, NBNS, and mDNS. When parsing an incoming LLMNR query, the implementation copies the queried name into a fixed-size name_buffer on the stack without bounds checking, trusting the length field in the DNS header which is limited to a single byte (max 255). By supplying a queried name with a large length value, an attacker can overflow the stack buffer [1].

Exploitation

The vulnerability is triggered by sending a specially-crafted LLMNR network packet to the SeaConnect 370W device. No authentication or prior access is required; the attacker only needs network connectivity to the target. The packet contains an excessively long queried name field, and the lack of bounds checking in the name copying routine leads to stack corruption. The overflow allows the attacker to control up to 255 bytes of data and ultimately overwrite the program counter [1].

Impact

Successful exploitation leads to remote code execution (RCE) on the device. An unauthenticated attacker can achieve full compromise of the SeaConnect 370W, as the vulnerability has a CVSSv3 score of 10.0 (Critical) with network attack vector, low complexity, no privileges required, no user interaction, and a scope change to compromised confidentiality, integrity, and availability [1].

Mitigation

As of the publication date (2022-02-04), no fixed version has been released. The vendor, Sealevel Systems, Inc., has not provided a patch or workaround. Users are advised to isolate affected devices on a segmented network and restrict LLMNR traffic. The device is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]