Cesanta Mongoose Denial-of-Service Vulnerability in TCP Option Handling

A denial-of-service vulnerability has been identified in Cesanta Mongoose versions prior to 7.21. The issue arises in the TCP Option Handler within the `handle_opt` function of the file `/src/net_builtin.c`. The vulnerability is caused by a missing validation of the `optlen` field in TCP options. When `optlen` is set to zero, the function enters an infinite loop, effectively freezing the Mongoose event loop. This issue can be exploited remotely with a single unauthenticated TCP SYN packet that includes a malformed option. The vulnerability has been publicly disclosed and is known to be exploitable.

Impact

Exploitation of this vulnerability leads to an infinite loop in the TCP option handling, causing a complete and permanent freeze of the Mongoose device. The single-threaded event loop becomes unresponsive, halting all network processing, protocol state machines, timers, and connection lifecycles. Recovery is only possible through a power cycle or a hardware watchdog reset.

Reproduction

The vulnerability can be reproduced by sending a TCP SYN packet with a zero-length option to a Mongoose server listening on any port. This can be done using a crafted TCP packet that exploits the `handle_opt` function's lack of validation for the `optlen` field.

Remediation

Upgrading to Cesanta Mongoose version 7.21 or later resolves this vulnerability.