CVE-2021-21970

Vulnerability

An out-of-bounds write vulnerability exists in the HandleSeaCloudMessage functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. The HandleIncomingSeaCloudMessage function uses json_object_get_string to populate the p_name global variable. The p_name buffer is only 0x80 bytes long, but the total MQTT message can be up to 0x201 bytes. Because json_object_get_string fills the destination string based on the length of the JSON value, not the actual buffer size, a specially-crafted MQTT payload can cause an out-of-bounds write [1].

Exploitation

An attacker must be in a position to perform a man-in-the-middle (MitM) attack between the SeaConnect 370W and the Sealevel SeaCloud MQTT broker. The attacker sends a crafted MQTT message to the device's subscribed topic with a JSON value for the "name" key that exceeds 0x80 bytes. The device parses the message, and json_object_get_string copies the oversized value into the fixed-size p_name buffer, causing an out-of-bounds write [1]. No authentication is required beyond network access.

Impact

Successful exploitation results in an out-of-bounds write, which can corrupt adjacent memory. This can lead to a denial of service (device crash or reset) or potentially other undefined behavior. The CVSS v3.0 score is 3.7 (Low), indicating limited impact on confidentiality (none) and integrity (low) [1]. The attacker does not gain code execution according to the available references.

Mitigation

As of the publication date (2022-02-04), no fixed version has been released by Sealevel Systems. Affected firmware version is 1.3.34. Mitigation includes network segmentation, restricting MQTT traffic to trusted networks, and monitoring for anomalous MQTT messages. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Users should contact Sealevel for updates [1].