CVE-2018-17614

Name of the Vulnerable Software and Affected Versions Losant Arduino MQTT Client versions prior to V2.7

Description This issue allows remote attackers to execute arbitrary code on vulnerable installations. User interaction is not required to exploit this issue. The specific flaw exists within the parsing of MQTT PUBLISH packets, resulting from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this issue to execute code in the context of the current process.

Recommendations For versions prior to V2.7, update to version V2.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the MQTT PUBLISH packet parsing functionality until a patch is available. Avoid using the Losant Arduino MQTT Client with untrusted MQTT connections until the issue is resolved.