Francesco Benvenuto and Matt Wiseman of Cisco Talos discovered these vulnerabilities.

Update (Feb. 16, 2022): We are also disclosing a vulnerability in the Texas Instruments CC3200 SimpleLink microcontroller that is related to the SeaConnect vulnerabilities outlined in this post. For more on TALOS-2021-1393, read the full advisory here.

Cisco Talos recently discovered several vulnerabilities in Sealevel Systems Inc.’s SeaConnect internet-of-things edge device — many of which could allow an attacker to conduct a man-in-the-middle attack or execute remote code on the targeted device.

The SeaConnect 370W is a WiFi-connected edge device commonly used in industrial control system (ICS) environments that allow users to remotely monitor and control the status of real-world I/O processes. This device offers remote control via MQTT, Modbus TCP and a manufacturer-specific interface referred to as the "SeaMAX API."

There are three buffer overflow vulnerabilities — TALOS-2021-1389 (CVE-2021-21960 and CVE-2021-21961) and TALOS-2021-1390 (CVE-2021-21962) — that exist in this device which could allow an attacker to execute arbitrary code on the targeted machine. These vulnerabilities have severity scores of 10.0, 10.0, and 9.0 respectively, making them the most serious of the reported vulnerabilities.

Another vulnerability, TALOS-2021-1388 (CVE-2021-21959), makes it easier for an adversary to carry out a man-in-the-middle attack between the device and the SeaConnect cloud service, and eventually take complete control of the device. While conducting a man-in-the-middle attack, the adversary could then exploit any of TALOS-2021-1391 (CVE-2021-21963), TALOS-2021-1395 (CVE-2021-21968), TALOS-2021-1396 (CVE-2021-21969 and CVE-2021-21970) or TALOS-2021-1397 (CVE-2021-21971) to carry out a variety of malicious actions, including arbitrarily overwriting files or causing an out-of-bounds write.

TALOS-2021-1394 (CVE-2021-21967) also requires the attacker to carry out man-in-the-middle espionage to eventually cause a denial of service on the device, while TALOS-2021-1392 (CVE-2021-21964 and CVE-2021-21965) could also cause a DoS after sending specially crafted packets to the targeted device.

Talos researchers also discovered a vulnerability in an outdated Eclipse Foundation Embedded Paho MQTT Client-C library which the SeaConnect 370W relies on. TALOS-2021-1406 (CVE-2021-41036) could allow an adversary to trigger an out-of-bounds write on the device. The Eclipse Foundation and SeaConnect have both acknowledged and fixed this issue.

Cisco Talos worked with Sealevel Systems to ensure that all other issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are advised to update the Sealevel Systems Inc. SeaConnect 370W running version 1.3.34, which is tested and confirmed to be affected by these vulnerabilities.

The following SNORTⓇ rules will detect exploitation attempts against these vulnerabilities: 58386, 58414 – 58417, 58458, 58461 - 58463. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall management center or Snort.org.