CVE-2021-21967

Vulnerability

An out-of-bounds write vulnerability exists in the OTA (over-the-air) update task of the SeaConnect 370W v1.3.34, built on the TI CC3200 MCU [1]. The bug is located in the ParseToDownloadMessage function, where the unsafe strcpy is called on a string that is not null-terminated, leading to a stack-based buffer overflow [1]. The vulnerable code path is reachable when the device receives a specially-crafted MQTT message on its command channel, which is normally used for firmware update instructions from the Sealevel SeaCloud MQTTS broker [1].

Exploitation

An attacker must be in a position to perform a man-in-the-middle attack between the SeaConnect 370W and the SeaCloud MQTTS broker [1]. The attacker does not require authentication, but successful interception of the MQTT traffic is needed [1]. Once positioned, the attacker sends a crafted MQTT payload to the device’s command channel that triggers the ParseToDownloadMessage function with a non-null-terminated string, causing a stack buffer overflow [1]. No user interaction is required on the device side.

Impact

Successful exploitation results in a write beyond the bounds of the stack buffer, leading to denial of service [1]. According to the CVSS v3.0 score of 6.5, the impact is limited to availability (high), with no impact on confidentiality and a low impact on integrity [1]. The attacker does not gain code execution or privilege escalation from this vulnerability.

Mitigation

As of the advisory publication date (April 14, 2022), no patched firmware version was released by Sealevel Systems [1]. Users should monitor vendor updates for a fix. The device uses MQTTS (MQTT over TLS), so enforcing proper TLS certificate validation may reduce the feasibility of a man-in-the-middle attack. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.