CVE-2021-21959
A misconfiguration exists in the MQTTS functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. This misconfiguration significantly simplifies a man-in-the-middle attack, which directly leads to control of device functionality.
Sealevel Systems, Inc. SeaConnect 370W v1.3.34
7.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
CWE-295 - Improper Certificate Validation
The SeaConnect 370W is a Wi-Fi connected IIoT device offering programmable cloud access and control of digital and analog I/O and a 1-wire bus.
This device offers remote control via several means including MQTT, Modbus TCP and a manufacturer-specific protocol named “SeaMAX API.”
The device is built on top of the TI CC3200 MCU with built-in Wi-Fi capabilities.
The SeaConnect 370W communicates with the remote “Sealevel SeaCloud” via MQTTS communications. While establishing this connection, the device chooses to explicitly ignore certificate validation errors, making man-in-the-middle type attacks substantially simpler to conduct. The initialization of the MQTTS connection occurs in the function GetConnected
, located at raw offset 0x10446 which is mapped to RAM for execution at 0x20010446. The function responsible for creating a secure socket is titled NetworkConnectTLS
, located in RAM at 0x2001BEB4 and referenced within GetConnected
at offset 0x7A. The prototype of the NetworkConnectTLS
function is approximately int NetworkConnectTLS(Network *n, char *host, int port, void *certificate_filename, int certificate_filename_len)
and when no certificate_filename
is supplied the socket will not perform any validation of the supplied server certificate.
Below, we see the portion of GetConnected
where the MQTTS client is established.
NewNetwork(network);
MQTTClientInit(mqtt_client, network, 10000, *p_tx_buffer, 512, *p_rx_buffer, 512);
mqtt_client->defaultMessageHandler = DefaultCallback;
mqtt_conf.port = 8883;
rc = NetworkConnectTLS(network, mqtt_conf.host, 8883, 0, 0);
Observe that NetworkConnectTLS
is called with no certificate_filename
provided and therefore no certificate validation is conducted.
Successfully performing a man-in-the-middle of the MQTTS connection would allow an unauthenticated remote attacker to make modifications to the state of the outputs, manipulate the reported states of inputs and even convince the device to apply a malicious firmware update.
2021-10-21 - Initial vendor contact
2021-10-26 - Vendor disclosure
2022-02-01 - Public Release
Discovered by Francesco Benvenuto and Matt Wiseman of Cisco Talos.