Cesanta Mongoose TCP Blind RST Injection Vulnerability

A vulnerability in Cesanta Mongoose versions through 7.20 allows for blind TCP RST injection, disrupting active connections. The issue arises in the built-in TCP/IP stack (MIP), specifically within the `getpeer` function of `/src/net_builtin.c`. This function improperly verifies the source IP of incoming TCP segments, matching them to existing connections based solely on port numbers. As a result, an attacker can send a forged RST packet, terminating a connection without detection. This exploitation violates RFC 5961, enabling any host on the local network to disrupt TCP sessions by sending a single crafted packet with the correct port pair and arbitrary source IP or sequence number.

Impact

Exploitation of this vulnerability allows for arbitrary termination of TCP connections, causing a denial-of-service effect on the Mongoose device. This interruption impacts all TCP-based communications, including HTTP, MQTT, and WebSocket sessions. Additionally, the vulnerability could be exploited to hijack TCP sessions, taking advantage of predictable port numbers and sequence numbers in the Mongoose TCP stack.

Reproduction

The vulnerability can be reproduced by sending a TCP RST packet to a Mongoose server that is not validated for source IP or sequence number. This can be done using a socket pair to simulate network conditions, first establishing a legitimate connection and then injecting a RST packet from a different IP address with a forged sequence number. The Mongoose server will accept the RST and terminate the connection, demonstrating the vulnerability.