Eclipse Mosquitto (Posts about Security)

Version 1.5.6 released

Mosquitto Project — Fri, 08 Feb 2019 13:00:00 GMT

Mosquitto 1.5.6 has been released to address three potential security vulnerabilities.

CVE-2018-12551

If Mosquitto is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability. Affects version 1.0 to 1.5.5 inclusive.

Patches for older versions are available at https://mosquitto.org/files/cve/2018-12551

CVE-2018-12550

If an ACL file is empty, or has only blank lines or comments, then mosquitto treats the ACL file as not being defined, which means that no topic access is denied. Although denying access to all topics is not a useful configuration, this behaviour is unexpected and could lead to access being incorrectly granted in some circumstances. Affects versions 1.0 to 1.5.5 inclusive.

Patches for older versions are available at https://mosquitto.org/files/cve/2018-12550

CVE-2018-12546

If a client publishes a retained message to a topic that they have access to, and then their access to that topic is revoked, the retained message will still be delivered to future subscribers. This behaviour may be undesirable in some applications, so a configuration option check_retain_source has been introduced to enforce checking of the retained message source on publish.

Patches for older versions are available at https://mosquitto.org/files/cve/2018-12546

Version 1.5.6 Changes

The list of other fixes addressed in version 1.5.6 is:

Broker

Fixed comment handling for config options that have optional arguments.
Improved documentation around bridge topic remapping.
Handle mismatched handshakes (e.g. QoS1 PUBLISH with QoS2 reply) properly.
Fix spaces not being allowed in the bridge remote_username option. Closes #1131.
Allow broker to always restart on Windows when using log_dest file. Closes #1080.
Fix Will not being sent for Websockets clients. Closes #1143.
Windows: Fix possible crash when client disconnects. Closes #1137.
Fixed durable clients being unable to receive messages when offline, when per_listener_settings was set to true. Closes #1081.
Add log message for the case where a client is disconnected for sending a topic with invalid UTF-8. Closes #1144.

Library

Fix TLS connections not working over SOCKS.
Don't clear SSL context when TLS connection is closed, meaning if a user provided an external SSL_CTX they have less chance of leaking references.

Build

Fix comparison of boolean values in CMake build. Closes #1101.
Fix compilation when openssl deprecated APIs are not available. Closes #1094.
Man pages can now be built on any system. Closes #1139.

Security advisory: CVE-2018-12543

Mosquitto Project — Thu, 27 Sep 2018 09:36:19 GMT

Mosquitto 1.5.3 has been released to address a security vulnerability. It also includes other bug fixes.

CVE-2018-12543

A vulnerability exists in Mosquitto versions 1.5 to 1.5.2 inclusive, known as CVE-2018-12543.

If a message received by the broker has a topic that begins with $, but that does not begin $SYS, an assert is triggered that should otherwise not be accessible, causing Mosquitto to exit.

The issue is fixed in Mosquitto 1.5.3. Patches for older versions are available at https://mosquitto.org/files/cve/2018-12543

The fix addresses the problem by reverting a commit that intended to remove some unused checks, but also stopped part of the topic hierarchy being created.

Version 1.5.3 Changes

The complete list of fixes addressed in version 1.5.3 is:

Security

Fix CVE-2018-12543. If a message is sent to Mosquitto with a topic that begins with $, but is not $SYS, then an assert that should be unreachable is triggered and Mosquitto will exit.

Broker

Elevate log level to warning for situation when socket limit is hit.
Remove requirement to use user root in snap package config files.
Fix retained messages not sent by bridges on outgoing topics at the first connection. Closes #701.
Documentation fixes. Closes #520, #600.
Fix duplicate clients being added to by_id hash before the old client was removed. Closes #645.
Fix Windows version not starting if include_dir did not contain any files. Closes #566.

Build

Various fixes to ease building.

Version 1.6.6 released

Mosquitto Project — Thu, 27 Sep 2018 09:36:19 GMT

Mosquitto 1.6.6 and 1.5.9 have been released to address two security vulnerabilities.

Titles and links will be updated once the CVE numbers are assigned.

CVE-2019-11779

A vulnerability exists in Mosquitto versions 1.5 to 1.6.5 inclusive, known as CVE-2019-11779.

If a client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.

The issue is fixed in Mosquitto 1.6.6 and 1.5.9. Patches for older versions are available at https://mosquitto.org/files/cve/2019-11779

The fix addresses the problem by restricting the allowed number of topic hierarchy levels to 200. An alternative fix is to increase the size of the stack by a small amount.

CVE-2019-11778

A vulnerability exists in Mosquitto version 1.6 to 1.6.4 inclusive, known as CVE-2019-11778

If an MQTT v5 client connects to Mosquitto, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free error occurs, which has the potential to cause a crash in some situations.

The issue is fixed in Mosquitto 1.6.5. Patches for older versions are available at https://mosquitto.org/files/cve/2019-11778

Version 1.6.6 Changes

The complete list of fixes addressed in version 1.6.6 is:

Security

Restrict topic hierarchy to 200 levels to prevent possible stack overflow. Closes #1412.

Broker

Restrict topic hierarchy to 200 levels to prevent possible stack overflow. Closes #1412.
mosquitto_passwd now returns 1 when attempting to update a user that does not exist. Closes #1414.

Security advisory: CVE-2017-7651, CVE-2017-7652

Mosquitto Project — Tue, 27 Feb 2018 16:37:29 GMT

Mosquitto 1.4.15 has been released to address two security vulnerabilities.

CVE-2017-7651

A vulnerability exists in all Mosquitto versions up to and including 1.4.14 known as CVE-2017-7651.

Unauthenticated clients can send a crafted CONNECT packet which causes large amounts of memory use in the broker. If multiple clients do this, an out of memory situation can occur and the system may become unresponsive or the broker will be killed by the operating system.

The issue is fixed in Mosquitto 1.4.15. Patches for older versions are available at https://mosquitto.org/files/cve/2017-7651

The fix addresses the problem by limiting the permissible size for CONNECT packet, and by adding a memory_limit configuration option that allows the broker to self limit the amount of memory it uses.

Thanks to Felipe Balabanian for finding this vulnerability and responsibly reporting it.

CVE-2017-7652

A vulnerability exists in Mosquitto versions 1.0 to 1.4.14 inclusive known as CVE-2017-7652.

If the broker has exhausted all of its free sockets/file descriptors and then a SIGHUP signal is received to trigger reloading of the configuration, then the reloading will fail. This results in many of the configuration options, including security options, being set to their default value. This means that authorisation and access control may no longer be in place.

The issue is fixed in Mosquitto 1.4.15. Patches for older versions are available at https://mosquitto.org/files/cve/2017-7652

The fix addresses the problem by only copying the new configuration options to the in use configuration after a successful reload has taken place.

Version 1.4.15 Changes

The complete list of fixes addressed in version 1.4.15 is:

Security

Fix CVE-2017-7652. If a SIGHUP is sent to the broker when there are no more file descriptors, then opening the configuration file will fail and security settings will be set back to their default values.
Fix CVE-2017-7651. Unauthenticated clients can cause excessive memory use by setting "remaining length" to be a large value. This is now mitigated by limiting the size of remaining length to valid values. A memory_limit configuration option has also been added to allow the overall memory used by the broker to be limited.

Broker

Use constant time memcmp for password comparisons.
Fix incorrect PSK key being used if it had leading zeroes.
Fix memory leak if a client provided a username/password for a listener with use_identity_as_username configured.
Fix use_identity_as_username not working on websockets clients.
Don't crash if an auth plugin returns MOSQ_ERR_AUTH for a username check on a websockets client. Closes #490.
Fix 08-ssl-bridge.py test when using async dns lookups. Closes #507.
Lines in the config file are no longer limited to 1024 characters long. Closes #652.
Fix $SYS counters of messages and bytes sent when message is sent over a Websockets. Closes #250.
Fix upgrade_outgoing_qos for retained message. Closes #534.
Fix CONNACK message not being sent for unauthorised connect on websockets. Closes #8.

Client library

Fix incorrect PSK key being used if it had leading zeroes.
Initialise "result" variable as soon as possible in mosquitto_topic_matches_sub. Closes #654.
No need to close socket again if setting non-blocking failed. Closes #649.
Fix mosquitto_topic_matches_sub() not correctly matching foo/bar against foo/+/#. Closes #670.

Clients

Correctly handle empty files with mosquitto_pub -l. Closes #676.

Build

Don't run TLS-PSK tests if TLS-PSK disabled at compile time. Closes #636.

Security advisory: CVE-2017-9868

Mosquitto Project — Mon, 26 Jun 2017 10:45:51 GMT

A vulnerability exists in Mosquitto versions 0.15 to 1.4.12 inclusive known as CVE-2017-9868.

If persistence is enabled, then the persistence file is created world readable, which has the potential to make sensitive information available to any local user.

Patches are available to fix this for Unix like operating systems (i.e. not Windows): https://mosquitto.org/files/cve/2017-9868/

This will be fixed in version 1.4.13, due to be released shortly.

This can also be fixed administratively by removing world read permissions for the directory that the persistence file is stored in. In many systems this can be achieved with:

chmod 700 /var/lib/mosquitto

Security advisory: CVE-2017-7650

Mosquitto Project — Mon, 29 May 2017 11:41:48 GMT

A vulnerability exists in Mosquitto versions 0.15 to 1.4.11 inclusive known as CVE-2017-7650.

Pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

The vulnerability only comes into effect where pattern based ACLs are in use, or potentially where third party plugins are in use.

The issue is fixed in Mosquitto 1.4.12, which has just been released. Patches for older versions are available at https://mosquitto.org/files/cve/2017-7650

The fix addresses the problem by restricting access for clients with a '#', '+', or '/' in their username or client id. '/' has been included in the list of characters disallowed because it also has a special meaning in a topic and may represent an additional risk. The restriction placed on clients is that they may not receive or send messages that are subject to a pattern based ACL check, nor any message that is subject to a plugin check.

Thanks to Artem Zinenko from HackerDom CTF team for finding this vulnerability and responsibly reporting it.

Complete list of fixes addressed in version 1.4.12:

Broker

Fix mosquitto.db from becoming corrupted due to client messages being persisted with no stored message. Closes #424.
Fix bridge not restarting properly. Closes #428.
Fix uninitialised memory in gets_quiet on Windows. Closes #426.
Fix building with WITH_ADNS=no for systems that don't use glibc. Closes #415.
Fixes to readme.md.
Fix deprecation warning for OpenSSL 1.1. PR #416.
Don't segfault on duplicate bridge names. Closes #446.
Fix CVE-2017-7650.

Mosquitto and POODLE

Mosquitto Project — Thu, 16 Oct 2014 14:53:33 GMT

Details of the POODLE attack that targets SSLv3 have been released recently. Mosquitto has never provided support for SSLv3 (or SSLv2) so should not be vulnerable to this attack and does not require any configuration changes.

Version 1.3.2 released

Mosquitto Project — Mon, 14 Jul 2014 12:10:05 GMT

This is a security and bugfix release.

Security

A bug in the way that mosquitto handles authentication plugins has been identified. When using a plugin for authentication purposes, if the plugin returns MOSQ_ERR_UNKNOWN when making an authentication check, as might happen if a database was unavailable for example, then mosquitto incorrectly treats this as a successful authentication. This has the potential for unauthorised clients to access the running mosquitto broker and gain access to information to which they are not authorised. This is an important update for users of authentication plugins in mosquitto.

Broker

Don't allow access to clients when authenticating if a security plugin returns an application error. Fixes bug #1340782.
Ensure that bridges verify certificates by default when using TLS.
Fix possible crash when using pattern ACLs that do not include a %u and clients that connect without a username.
Fix subscriptions being deleted when clients subscribed to a topic beginning with a $ but that is not $SYS.
When a durable client reconnects, its queued messages are now checked against ACLs in case of a change in username/ACL state since it last connected.
Anonymous clients are no longer accidentally disconnected from the broker after a SIGHUP.
Fix bug #1324411, which could have had unexpected consequences for delayed messages in rare circumstances.

Client library

Fix topic matching edge case.
Fix callback deadlocks after calling mosquitto_disconnect(), when using the threaded interfaces. Closes bug #1313725.
Fix SRV support when building with CMake.

General

Use $(STRIP) for stripping binaries when installing, to allow easier cross compilation.