Vulnerability identifier: #VU16241

Vulnerability risk: High

CVSSv3.1: 8.6 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-17614

CWE-ID: CWE-787

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
pubsubclient
Universal components / Libraries / Libraries used by multiple products

Vendor: Nick O'Leary

Description
This vulnerability allows an adjacent attacker to execute arbitrary code on vulnerable installations of Losant Arduino MQTT Client.

The weakness exists due to unbounded write-in caused by a missing check on the “remaining length” field in a popular MQTT library during the parsing routine for an MQTT PUBLISH packet, and precisely when reading the “remaining length” and “topic length” fields. An adjacent attacker can supply specially crafted input and cause persistent denial-of-service (DoS) condition or execute code on vulnerable devices that implement an MQTT client in the context of the current process.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
Update to version 2.7.

Vulnerable software versions

pubsubclient: 1.1 - 2.6

---

External links
http://blog.trendmicro.com/trendlabs-security-intelligence/machine-to-machine-m2m-technology-design...
http://www.zerodayinitiative.com/advisories/ZDI-18-1337/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.