Bug 563881 - Unauthorized response topic
Summary: Unauthorized response topic
Status: CLOSED MOVED
Alias: None
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: Other Linux
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2020-06-03 06:59 EDT by wang Jessie CLA
Modified: 2021-12-23 06:46 EST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description wang Jessie CLA 2020-06-03 06:59:13 EDT 
Dear sir, 
  I am glad to see the Mosquitto supported MQTTv5. However, I find a potential vulberability that named unauthorized response topic.
  We find the ACL dosen't define the access control on the response topic which we find important in MQTT. For example, the adversary can not publish message to topic A and a victim is allowed to publish msg to topic A. If the adversary send PUBLISH packet with response topic A and corralation data to topic B. The aforementioned victim subscribed the topic B and received the PUBLISH message with the response topic and correlation data, According to the specification of MQTT v5.0, the victim will send the malicious correalation data to topic A.

  It suggest that the adversary can utilize response topic indirectly. We belive the ACL should add the access control of the response topic and the server should check if the adversary have the authority to the response topic in his CONNECT or PUBLISH packet.
Comment 1 Roger Light CLA 2021-08-30 11:02:29 EDT 
What could count as malicious correlation data? It is just a binary blob for comparison to see what request and response match.
Comment 2 Frederic Gurr CLA 2021-12-23 06:46:12 EST 
This issue has been migrated to https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/501.