A misconfiguration exists in the MQTTS functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. This misconfiguration significantly simplifies a man-in-the-middle attack, which directly leads to control of device functionality.
Sealevel Systems, Inc. SeaConnect 370W v1.3.34
SeaConnect 370W - https://www.sealevel.com/product/370w-a-wifi-to-form-c-relays-digital-inputs-a-d-inputs-and-1-wire-bus-seaconnect-multifunction-io-edge-module-powered-by-seacloud/
7.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
CWE-295 - Improper Certificate Validation
The SeaConnect 370W is a Wi-Fi connected IIoT device offering programmable cloud access and control of digital and analog I/O and a 1-wire bus.
This device offers remote control via several means including MQTT, Modbus TCP and a manufacturer-specific protocol named “SeaMAX API.”
The device is built on top of the TI CC3200 MCU with built-in Wi-Fi capabilities.
The SeaConnect 370W communicates with the remote “Sealevel SeaCloud” via MQTTS communications. While establishing this connection, the device chooses to explicitly ignore certificate validation errors, making man-in-the-middle type attacks substantially simpler to conduct. The initialization of the MQTTS connection occurs in the function
GetConnected, located at raw offset 0x10446 which is mapped to RAM for execution at 0x20010446. The function responsible for creating a secure socket is titled
NetworkConnectTLS, located in RAM at 0x2001BEB4 and referenced within
GetConnected at offset 0x7A. The prototype of the
NetworkConnectTLS function is approximately
int NetworkConnectTLS(Network *n, char *host, int port, void *certificate_filename, int certificate_filename_len) and when no
certificate_filename is supplied the socket will not perform any validation of the supplied server certificate.
Below, we see the portion of
GetConnected where the MQTTS client is established.
NewNetwork(network); MQTTClientInit(mqtt_client, network, 10000, *p_tx_buffer, 512, *p_rx_buffer, 512); mqtt_client->defaultMessageHandler = DefaultCallback; mqtt_conf.port = 8883; rc = NetworkConnectTLS(network, mqtt_conf.host, 8883, 0, 0);
NetworkConnectTLS is called with no
certificate_filename provided and therefore no certificate validation is conducted.
Successfully performing a man-in-the-middle of the MQTTS connection would allow an unauthenticated remote attacker to make modifications to the state of the outputs, manipulate the reported states of inputs and even convince the device to apply a malicious firmware update.
2021-10-21 - Initial vendor contact
2021-10-26 - Vendor disclosure
2022-02-01 - Public Release
Discovered by Francesco Benvenuto and Matt Wiseman of Cisco Talos.