Nozomi Networks has uncovered 10 critical vulnerabilities in the Mongoose Web Server Library, which is widely used in embedded systems and IoT devices. These vulnerabilities were discovered in version 7.14 of the library and are primarily associated with its Transport Layer Security (TLS) implementation. The flaws allow attackers to send specially crafted TLS packets to vulnerable devices, causing crashes, instability, and denial of service (DoS). The issue arises from improper handling of memory within the TLS protocol, potentially leading to serious operational disruptions in environments where reliability is paramount.
Mongoose, developed by Cesanta, is a lightweight, open-source networking library that powers embedded systems. It supports protocols like HTTP, WebSocket, and TLS and is used in critical systems across industries. The library’s popularity has surged due to its ability to provide secure communications without taxing the limited resources of embedded devices. However, due to the lightweight nature of Mongoose, some of its components, like the TLS stack, had not been integrated into advanced fuzz-testing pipelines, leaving certain vulnerabilities undetected until now.
The discovered flaws, such as CVE-2024-42386, could result in memory corruption and lead to a crash of affected systems. In some cases, these vulnerabilities could make devices unresponsive or cause them to continuously reboot, creating operational chaos in sectors like healthcare or manufacturing, where these devices are crucial for ensuring safety and continuous monitoring. With IoT devices frequently operating unattended in sensitive environments, the risks posed by such vulnerabilities are especially high. A compromised device could potentially disrupt an entire network of connected systems.
In response to these critical vulnerabilities, Cesanta has swiftly developed and released version 7.15 of the Mongoose Web Server Library, which includes patches addressing the identified security issues. Nozomi Networks strongly recommends that all organizations using Mongoose update to this new version immediately to mitigate the risk of exploitation. As the library is integral to many systems used globally, from smart homes to industrial automation, ensuring that devices remain secure is essential for maintaining the integrity and safety of these vital operations.
