Vulnerability identifier: #VU16241
Vulnerability risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-787
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
pubsubclient
Universal components / Libraries /
Libraries used by multiple products
Vendor: Nick O'Leary
Description
This vulnerability allows an adjacent attacker to execute arbitrary code on vulnerable installations of Losant Arduino MQTT Client.
The weakness exists due to unbounded write-in caused by a missing check on the “remaining length” field in a popular MQTT library during the parsing routine for an MQTT PUBLISH packet, and precisely when reading the “remaining length” and “topic length” fields. An adjacent attacker can supply specially crafted input and cause persistent denial-of-service (DoS) condition or execute code on vulnerable devices that implement an MQTT client in the context of the current process.
Successful exploitation of the vulnerability may result in system compromise.
Mitigation
Update to version 2.7.
Vulnerable software versions
pubsubclient: 1.1 - 2.6
External links
http://blog.trendmicro.com/trendlabs-security-intelligence/machine-to-machine-m2m-technology-design...
http://www.zerodayinitiative.com/advisories/ZDI-18-1337/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.