CVE-2021-21969

Vulnerability

An out-of-bounds write vulnerability exists in the HandleSeaCloudMessage functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. The HandleIncomingSeaCloudMessage function uses json_object_get_string to populate the global variable p_payload, which is only 0x100 bytes long. However, the total incoming MQTT message can be up to 0x201 bytes. Because json_object_get_string fills the buffer based on the JSON value length rather than the buffer size, this leads to a potential out-of-bounds write [1].

Exploitation

An attacker with a man-in-the-middle (MITM) position can send a specially-crafted MQTT payload to the device's subscribed topic. No authentication is required (CVSS PR:N). The device receives and parses the JSON-formatted message, copying the "payload" field into the fixed-size buffer without any size check, thereby overwriting adjacent memory [1].

Impact

Successful exploitation results in an out-of-bounds write, which can corrupt memory and potentially cause a denial of service or, in more severe cases, lead to code execution. The CVSSv3 score of 3.7 (low) indicates limited impact on integrity (partial) with no direct impact on confidentiality or availability [1].

Mitigation

As of the publication date, no patch has been released by Sealevel Systems. Users should monitor vendor updates for a fix. As a workaround, restrict network access to the device, use encrypted communication channels (e.g., TLS for MQTT), and employ network segmentation to reduce the risk of MITM attacks [1].