Community
Participate
Working Groups
A potential vulnerability has been reported to the MQTT OASIS Technical Committee for Eclipse Mosquitto. Topic strings in MQTT are defined to be UTF-8. The Eclipse Paho java client validates these topic strings. If an invalid UTF-8 byte is received in the topic string, the connection is terminated, which is a common action in MQTT 3.1.1 for protocol errors. Mosquitto does not validate the topic string to check that it conforms to UTF-8. If many client applications that do validate the topic strings are connected and subscribed to a wild carded topic, it is possible for a malicious publisher client to send a message to a topic string with incorrectly formatted UTF-8, causing all the receiving client applications to disconnect. Eclipse Mosquitto should validate the topic strings and not forward any messages with invalid UTF-8 topics. In general an MQTT server should perform as much validation, and often more, than clients.
I'm told that the reporter intends to go public with this information in April or May. I can confirm a more specific date if that's relevant. The Paho C client does include some validation code, which might be useful. https://github.com/eclipse/paho.mqtt.c/blob/master/src/utf-8.c
Do you want to have a CVE ID assigned?
I think Roger has agreed that a CVE is warranted, but I'll let him confirm.
I would appreciate a CVE assigned for this. There's no use hiding it! CVSS v2: 3.5 https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:N/A:P) CVSS v3: 4.3 https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
To register the CVE, I need a single paragraph description and a CWE [1]. Can you provide that please?
Description: The Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and so cause a denial of service for the clients. CWE: http://cwe.mitre.org/data/definitions/20.html
I've created a pull request against the CVE List. https://github.com/CVEProject/cvelist/pull/552
(In reply to Ian Craggs from comment #1) > I'm told that the reporter intends to go public with this information in > April or May. I can confirm a more specific date if that's relevant. I missed a step. As part of the disclosure to CNA, I need to remove the committer-only flag and make this visible to the public. Can we do this now, or is there a timing issue?
(In reply to Wayne Beaton from comment #8) > I missed a step. As part of the disclosure to CNA, I need to remove the > committer-only flag and make this visible to the public. Can we do this now, > or is there a timing issue? I'm assuming that disclosure is okay and am removing the committer-only restriction.