CVE-2021-21963

Vulnerability

An information disclosure vulnerability exists in the Web Server functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34 [1]. The device's web server uses HTTP Basic Authentication without TLS, sending credentials and other sensitive data in plaintext over the network [1]. The web server is built on the TI 'SimpleLink' SDK, which does not support HTTPS [1].

Exploitation

An attacker must be in a position to perform a man-in-the-middle attack on network traffic between an authenticated user and the device [1]. The attacker can sniff the HTTP stream, capturing the Base64-encoded username and password from the Authentication header, as well as any other sensitive data transmitted [1]. No prior authentication is required for the attacker, but user interaction (an authenticated user accessing the web server) is necessary [1].

Impact

Successful exploitation leads to disclosure of sensitive information, including user credentials and device configuration data [1]. The CVSSv3 score is 7.4, with impacts to confidentiality and integrity (C:H/I:H/A:N) [1]. An attacker could use the captured credentials to gain authenticated access to the device and modify settings if desired.

Mitigation

No fix has been released by the vendor [1]. At the time of disclosure (2022-02-04), the device was confirmed vulnerable and the vendor had not provided a patch [1]. As a workaround, users should ensure the device is only accessible over trusted networks and consider using VPN or network segmentation to prevent man-in-the-middle attacks. The vendor could implement TLS support or switch to a different SDK that supports HTTPS.