Out-of-bounds write in pubsubclient - CVE-2018-17614
Published: December 5, 2018
Vulnerability identifier: #VU16241
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2018-17614
CWE-ID: CWE-787
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Nick O'Leary
Affected software:
pubsubclient
pubsubclient
Detailed vulnerability description
This vulnerability allows an adjacent attacker to execute arbitrary code on vulnerable installations of Losant Arduino MQTT Client.
The weakness exists due to unbounded write-in caused by a missing check on the “remaining length” field in a popular MQTT library during the parsing routine for an MQTT PUBLISH packet, and precisely when reading the “remaining length” and “topic length” fields. An adjacent attacker can supply specially crafted input and cause persistent denial-of-service (DoS) condition or execute code on vulnerable devices that implement an MQTT client in the context of the current process.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to unbounded write-in caused by a missing check on the “remaining length” field in a popular MQTT library during the parsing routine for an MQTT PUBLISH packet, and precisely when reading the “remaining length” and “topic length” fields. An adjacent attacker can supply specially crafted input and cause persistent denial-of-service (DoS) condition or execute code on vulnerable devices that implement an MQTT client in the context of the current process.
Successful exploitation of the vulnerability may result in system compromise.
How to mitigate CVE-2018-17614
Update to version 2.7.