Critical Vulnerabilities Found in Sealevel Device Used in ICS Environments
Cisco’s Talos security researchers have published details on a series of critical vulnerabilities that Sealevel has addressed in the SeaConnect 370W WiFi-connected edge device.
The internet of things (IoT) device is used in industrial control system (ICS) environments for the monitoring of real-world I/O processes. The identified bugs could be exploited to execute arbitrary code on a vulnerable device, or to perform man-in-the-middle attacks.
The most severe of the newly disclosed bugs are three buffer overflow issues rated “critical severity,” which could be exploited to achieve remote code execution on vulnerable devices.
With a CVSS score of 10, two of the flaws were identified in the LLMNR and NBNS name resolution services that SeaConnect 370W exposes. The bugs are tracked as CVE-2021-21960 and CVE-2021-21961.
“The vulnerability occurs when attempting to copy the queried name to a local buffer of fixed size (identified above as name_buffer). The implementation does not conduct any bounds checking prior to copying the data, simply trusting the supplied length field will be accurate and no larger than 32 bytes,” Talos explains.
Thus, an attacker can supply a significantly large length value to trigger a stack-based buffer overflow, which would provide them with control of the program counter, Talos says. The attacker can trigger the issue using crafted network packets, achieving remote code execution.
Featuring a CVSS score of 9.0 and tracked as CVE-2021-21962, the third critical bug is a heap-based buffer overflow identified in the OTA Update “u-download” functionality of SeaConnect 370W. An attacker can use specially-crafted MQTT payloads to exploit the flaw and achieve remote code execution.
Talos also discovered that the SeaConnect device is impacted by a high-severity vulnerability (CVE-2021-21959) that exists because of a misconfiguration in the MQTTS functionality, and which could be exploited to perform man-in-the-middle attacks and control the device’s functionality.
An attacker able to mount a man-in-the-middle attack against the device could then exploit a series of other vulnerabilities to perform malicious actions, such as file overwrites.
Talos also disclosed information on CVE-2021-21967 (CVSS score of 6.5), another vulnerability that can be exploited to carry out man-in-the-middle attacks, as well as CVE-2021-21964 and CVE-2021-21965 (CVSS score of 8.6), which could be exploited to cause a denial of service (DoS) condition.
Cisco’s security researchers note that they have worked with Sealevel to ensure that all of the identified vulnerabilities are correctly resolved. Patches were released in late January.