############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Eclipse Mosquitto # Vendor: Eclipse Foundation # CSNC ID: CSNC-2023-001 # CVE ID: CVE-2023-28366 # Subject: Denial of Service / Memory Leak # Risk: High # Effect: Remotely exploitable # Author: Mischa Bachmann # Date: 31.08.2023 # ############################################################# Introduction ------------ Eclipse Mosquitto [1,2] is an open source (EPL/EDL licensed) message broker that implements the MQTT protocol versions 5.0, 3.1.1 and 3.1. Mosquitto is lightweight and is suitable for use on all devices from low power single board computers to full servers. The MQTT protocol provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for Internet of Things messaging such as with low power sensors or mobile devices such as phones, embedded computers or microcontrollers. The Mosquitto project also provides a C library for implementing MQTT clients, and the very popular mosquitto_pub and mosquitto_sub command line MQTT clients. Affected -------- Vulnerable: * Eclipse Mosquitto v1.4 - v2.0.15 Not tested: * Eclipse Mosquitto before v1.4 Technical Description --------------------- The Eclipse Mosquitto broker does not properly handle error codes generated by the libc send() function. If an EAGAIN error code is returned the control flow will catch the error but return a success to the calling function. This skips the process of freeing the memory and leads to a memory leak. Attackers can abuse this behavior by transmitting a large amount of network packets of a particular type at a high rate, filling up the memory with unsent packages and resulting in a Denial of Service attack. Workaround / Fix ---------------- Upgrade to Eclipse Mosquitto v2.0.16 or later containing the fix [3]. Timeline -------- 2023-03-06: Discovery by Mischa Bachmann 2023-03-15: Assigned CVE-2023-28366 2023-03-20: Initial vendor notification 2023-03-20: Initial vendor response 2023-08-16: Release of fixed Version / Patch 2023-08-31: Disclosure of advisory References ---------- [1] https://mosquitto.org/ [2] https://github.com/eclipse/mosquitto [3] https://github.com/eclipse/mosquitto/releases/tag/v2.0.16