[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
[mosquitto-dev] Security advisory - CVE-2017-7650
|
Dear all,
A vulnerability exists in Mosquitto versions 0.15 to 1.4.11 inclusive
known as CVE-2017-7650.
Pattern based ACLs can be bypassed by clients that set their
username/client id to '#' or '+'. This allows locally or remotely
connected clients to access MQTT topics that they do have the rights
to. The same issue may be present in third party authentication/access
control plugins for Mosquitto.
The vulnerability only comes into effect where pattern based ACLs are
in use, or potentially where third party plugins are in use.
The issue is fixed in Mosquitto 1.4.12, which has just been released.
Patches for older versions are available at
https://mosquitto.org/files/cve/2017-7650/
The fix addresses the problem by restricting access for clients with a
'#', '+', or '/' in their username or client id. '/' has been included
in the list of characters disallowed because it also has a special
meaning in a topic and may represent an additional risk. The
restriction placed on clients is that they may not receive or send
messages that are subject to a pattern based ACL check, nor any
message that is subject to a plugin check.
Updated packages for existing systems should be available soon.
Regards,
Roger
