Description Roger Light 2018-01-21 17:29:50 EST

If a mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk.

If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then openingthe configuration file will fail.

The process of reloading currently follows the steps:

* Reset configuration to defaults
* Open file
* Load file and apply new settings to configuration struct

That means that if opening the file fails, then the (almost) default configuration is used instead of the file configuration. Security settings such as password_file and acl_file will be at the default of "not used".

The outcome of this is that if an already authenticated client connects enough clients so that the available file descriptors are exhausted then it is possible the security options will be removed and they may be able to access topics that were previously restricted.

CVSS v2: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:M/C:C/I:C/A:N/E:POC/RL:OF/RC:C/CDP:ND/TD:ND/CR:M/IR:M/AR:ND)

CVSS v3: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C/MAV:N/MAC:H/MPR:L/MUI:R/MS:U/MC:H/MI:H/MA:N

I've set "official fix released" on those, I've got the fix but it's obviously not released yet.