These vulnerabilities were discovered by Aleksandar Nikolic of Cisco Talos
Today, Talos is disclosing several vulnerabilities that have been identified in Cesanta Mongoose server.
Cesanta Mongoose is a library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all popular IoT platforms. The small size of the software enables any Internet-connected device to function as a web server. Mongoose is available under GPL v2 and commercial licenses.
All these discovered vulnerabilities are fixed in version 6.10 of the library.
Vulnerability Details
TALOS-2017-0398 (CVE-2017-2891) - Cesanta Mongoose HTTP Server CGI Remote Code Execution Vulnerability
TALOS-2017-0398 manifests itself as an exploitable use-after-free vulnerability that exists in the HTTP server implementation of Cesanta Mongoose 6.8. An ordinary HTTP POST request with a CGI target can cause a reuse of a previously freed pointer potentially resulting in remote code execution. An attacker needs to send this HTTP request over the network to trigger this vulnerability.
TALOS-2017-0399 (CVE-2017-2892) - Cesanta Mongoose MQTT Payload Length Remote Code Execution
TALOS-2017-0399 manifests itself as an exploitable arbitrary memory read vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT packet can cause an out of bounds and arbitrary memory read and write, potentially resulting in information disclosure, denial of service and remote code execution. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.
TALOS-2017-0400 (CVE-2017-2893) - Cesanta Mongoose MQTT SUBSCRIBE Command Denial Of Service
TALOS-2017-0400 describes an exploitable NULL pointer dereference vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. An MQTT SUBSCRIBE packet can cause a NULL pointer dereference leading to a server crash and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.
TALOS-2017-0401 (CVE-2017-2894) - Cesanta Mongoose MQTT SUBSCRIBE Multiple Topics Remote Code Execution
TALOS-2017-0401 is an exploitable stack buffer overflow vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause a stack buffer overflow resulting in remote code execution. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.
TALOS-2017-0402 (CVE-2017-2895) - Cesanta Mongoose MQTT SUBSCRIBE Topic Length Information Leak
TALOS-2017-0402 documents an exploitable arbitrary memory read vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause an out of bounds and arbitrary memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.
TALOS-2017-0416 (CVE-2017-2909) - Cesanta Mongoose DNS Query Compressed Name Pointer Denial Of Service
TALOS-2017-0416 describes an infinite loop programming error that exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS request can cause an infinite loop resulting in high CPU usage and Denial Of Service. An attacker can send a packet over the network to trigger this vulnerability.
TALOS-2017-0428 (CVE-2017-2921) - Cesanta Mongoose Websocket Protocol Packet Length Code Execution Vulnerability
TALOS-2017-0428 is an exploitable memory corruption vulnerability that exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow leading to a heap buffer overflow resulting in denial of service and potentially remote code execution. An attacker may be able to send a specially crafted websocket packet over the network to trigger this vulnerability.
TALOS-2017-0429 (CVE-2017-2922) - Cesanta Mongoose Websocket Protocol Fragmented Packet Code Execution Vulnerability
TALOS-2017-0429describes an exploitable memory corruption vulnerability that exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause a buffer to be allocated while leaving stale pointers which can lead to use-after-free vulnerability that can be exploited to achieve remote code execution. An attacker may be able to send a specially crafted websocket packet over the network to trigger this vulnerability.
For the full technical details of these vulnerabilities, please refer to the vulnerability advisories that are posted on our website:
http://www.talosintelligence.com/vulnerability-reports/
Discussion
IoT devices often have limited processing and memory resources but they also require lightweight and resilient communications protocols. One of the protocols frequently used for IoT and mobile messaging applications is MQ Telemetry Transport (MQTT).
MQTT is a lightweight network protocol used for publish/subscribe messaging between devices. MQTT is a standard protocol accepted by the OASIS consortium for the adoption of open standards.
The protocol is designed to be open, simple and easy to implement, allowing thousands of lightweight clients to be supported by a single server. The design attempts to minimize bandwidth requirements while attempting to ensure reliability of delivery.
Cesanta Mongoose is a popular communications library designed for implementation as a lightweight embedded library supporting several server and client application layer protocols, such as HTTP, MQTT, WebSockets, DNS and CoAP. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all popular IoT platforms.
These vulnerabilities discovered by Talos may allow attackers to take over implementations of vulnerable versions of the Cesanta Mongoose server and control individual devices as well as the associated servers running it. Users are recommended to work with the affected device vendors to ensure that the latest security patches for Cesanta Mongoose are applied to all vulnerable devices and applications.
Coverage
The following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules:
- 23039 - 23040