CVE-2021-21968

Vulnerability

A file write vulnerability exists in the OTA update task functionality of Sealevel Systems, Inc. SeaConnect 370W firmware version v1.3.34. The device, built on the TI CC3200 MCU, connects to the SeaCloud MQTTS broker and listens for OTA update commands. The update message contains a JSON payload with fields uri, dest, and crc. Due to improper input validation (CWE-20), a specially-crafted MQTT payload can cause an arbitrary file overwrite. No authentication is required, but the attacker must perform a man-in-the-middle attack to intercept and modify MQTT traffic [1].

Exploitation

An attacker positioned as a man-in-the-middle between the SeaConnect 370W and the SeaCloud MQTTS broker can intercept the legitimate OTA update message. By crafting a malicious JSON payload with an arbitrary uri (pointing to attacker-controlled content) and a controlled dest filename (e.g., /firmware.bin or other writable paths), the attacker triggers the device to download and overwrite a file of their choosing. No user interaction is required once the device is online and the MITM position is established [1].

Impact

Successful exploitation allows an attacker to overwrite arbitrary files on the device. This can lead to complete compromise of device integrity, potentially enabling arbitrary code execution, denial of service, or persistent unauthorized access. The CVSSv3 score is 8.1 (High), with impacts to confidentiality, integrity, and availability all rated as High [1].

Mitigation

As of the publication date of this CVE (2022-02-04), the vendor has not released a patched firmware version. The available references do not list any workaround or mitigation details. Users should restrict network access to the SeaConnect 370W and monitor MQTT traffic for anomalies. If a firmware update becomes available, applying it is the recommended course of action [1].