Bug 563882 - Unauthorized retained message
Summary: Unauthorized retained message
Status: CLOSED FIXED
Alias: None
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: PC Linux
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2020-06-03 07:15 EDT by wang Jessie CLA
Modified: 2021-08-30 11:06 EDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description wang Jessie CLA 2020-06-03 07:15:12 EDT 
Dear Sir,
  Recently we find the vulnerablity named unauthorized retained message in Mosquitto version 1.6.9.
  Following are the detailed descrition.
  1. We edit the ACL file and allowed the adversary  to connect to the server and publish message to topic A. 
  2. Then, the adversary publish a malicious message to topic A with retained flag.
  3. Next, we exit the ACL file and delete the authorization so the adversary cannot send the message to the topic A and send SIGHUP signal to mosquitto to reload the ACL file.
  4. However, when the victim subscribe the topic A, he will received the retained message that the adversary left before.

We believe when the adversary lost the authotization of sending message to topic A, the retained message he registered before should be clear.
Comment 1 Roger Light CLA 2021-08-30 11:06:47 EDT 
If you have the `check_retain_source` option enabled, the originator of the retained message is checked before it is delivered to other clients. This was introduced in version 1.5.6.