CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
58.3%
A misconfiguration exists in the MQTTS functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. This misconfiguration significantly simplifies a man-in-the-middle attack, which directly leads to control of device functionality.
Sealevel Systems, Inc. SeaConnect 370W v1.3.34
SeaConnect 370W - <https://www.sealevel.com/product/370w-a-wifi-to-form-c-relays-digital-inputs-a-d-inputs-and-1-wire-bus-seaconnect-multifunction-io-edge-module-powered-by-seacloud/>
7.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
CWE-295 - Improper Certificate Validation
The SeaConnect 370W is a Wi-Fi connected IIoT device offering programmable cloud access and control of digital and analog I/O and a 1-wire bus.
This device offers remote control via several means including MQTT, Modbus TCP and a manufacturer-specific protocol named βSeaMAX API.β
The device is built on top of the TI CC3200 MCU with built-in Wi-Fi capabilities.
The SeaConnect 370W communicates with the remote βSealevel SeaCloudβ via MQTTS communications. While establishing this connection, the device chooses to explicitly ignore certificate validation errors, making man-in-the-middle type attacks substantially simpler to conduct. The initialization of the MQTTS connection occurs in the function GetConnected
, located at raw offset 0x10446 which is mapped to RAM for execution at 0x20010446. The function responsible for creating a secure socket is titled NetworkConnectTLS
, located in RAM at 0x2001BEB4 and referenced within GetConnected
at offset 0x7A. The prototype of the NetworkConnectTLS
function is approximately int NetworkConnectTLS(Network *n, char *host, int port, void *certificate_filename, int certificate_filename_len)
and when no certificate_filename
is supplied the socket will not perform any validation of the supplied server certificate.
Below, we see the portion of GetConnected
where the MQTTS client is established.
NewNetwork(network);
MQTTClientInit(mqtt_client, network, 10000, *p_tx_buffer, 512, *p_rx_buffer, 512);
mqtt_client->defaultMessageHandler = DefaultCallback;
mqtt_conf.port = 8883;
rc = NetworkConnectTLS(network, mqtt_conf.host, 8883, 0, 0);
Observe that NetworkConnectTLS
is called with no certificate_filename
provided and therefore no certificate validation is conducted.
Successfully performing a man-in-the-middle of the MQTTS connection would allow an unauthenticated remote attacker to make modifications to the state of the outputs, manipulate the reported states of inputs and even convince the device to apply a malicious firmware update.
2021-10-21 - Initial vendor contact
2021-10-26 - Vendor disclosure
2022-02-01 - Public Release
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
58.3%