CVE-2019-17210

Name of the Vulnerable Software and Affected Versions Arm Mbed OS version 2017-11-02

Description A denial-of-service issue was discovered in the MQTT library. The readMQTTLenString() function is vulnerable to manipulation, allowing an attacker to change the mqttstring->lenstring.len value to a larger value, skipping the if statement and defaulting mqttstring->lenstring.data to zero. This leads to unpredictable program behavior when curn is accessed, which points to mqttstring->lenstring.data. The behavior is highly dependent on the actual firmware.

Recommendations For Arm Mbed OS version 2017-11-02, consider disabling the readMQTTLenString() function as a temporary workaround until a patch is available. Restrict access to the MQTT library to minimize the risk of exploitation. Avoid using the mqttstring->lenstring.len variable in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.