Login Sign Up

CVE-2021-21960

10.0 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

A critical stack-based buffer overflow vulnerability in Sealevel Systems SeaConnect 370W's LLMNR functionality allows remote attackers to execute arbitrary code by sending specially crafted network packets. This affects all systems running the vulnerable firmware version, potentially giving attackers full control over affected devices.

💻 Affected Systems

Products:
  • Sealevel Systems SeaConnect 370W
Versions: v1.3.34
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: LLMNR functionality is enabled by default in affected firmware version.

📦 What is this software?

Seaconnect 370w Firmware by Sealevel

View all CVEs affecting Seaconnect 370w Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution leading to device takeover, lateral movement, and persistent access to industrial control networks.

🟠

Likely Case

Remote code execution allowing attackers to install malware, disrupt operations, or use device as pivot point for further attacks.

🟢

If Mitigated

Limited impact if device is isolated behind firewalls with strict network segmentation and packet filtering.

🌐 Internet-Facing: HIGH - Directly exploitable via network packets without authentication.
🏢 Internal Only: HIGH - Exploitable from any network segment with access to the device.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details available in Talos Intelligence reports. Attack requires network access to device.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.3.35 or later

Vendor Advisory: https://www.sealevel.com/support/security-advisory/

Restart Required: Yes

Instructions:

1. Download latest firmware from Sealevel support portal. 2. Backup current configuration. 3. Upload new firmware via web interface. 4. Reboot device. 5. Verify firmware version.

🔧 Temporary Workarounds

Disable LLMNR

all

Disable Link-Local Multicast Name Resolution functionality if not required.

Configuration via web interface: Network Settings → Advanced → Disable LLMNR

Network Segmentation

all

Isolate SeaConnect devices in separate VLAN with strict firewall rules.

🧯 If You Can't Patch

  • Implement strict network access controls allowing only trusted IPs to communicate with SeaConnect devices.
  • Deploy intrusion detection systems to monitor for exploit attempts and anomalous network traffic.

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: System → About → Firmware Version

Check Version:

curl -s http://device-ip/api/system/info | grep firmware_version

Verify Fix Applied:

Verify firmware version is v1.3.35 or later and test LLMNR functionality is either patched or disabled.

📡 Detection & Monitoring

Log Indicators:

  • Multiple malformed LLMNR packets
  • System crash/restart logs
  • Unusual process creation

Network Indicators:

  • Unusual LLMNR traffic to SeaConnect devices
  • Large or malformed LLMNR packets
  • Traffic from unexpected sources

SIEM Query:

source="firewall" AND dest_ip="seaconnect_device" AND (protocol="udp" AND port=5355) AND packet_size>512

📊 Metadata

CVE ID: CVE-2021-21960
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-121
Published: February 4, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21960, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)