[Bug 575324] Mosquitto broker with Dynamic Security Plugin may lead to access control failure
| Bugzilla Link | 575324 |
| Status | ASSIGNED |
| Importance | P3 normal |
| Reported | Aug 09, 2021 23:25 EDT |
| Modified | Aug 30, 2021 15:31 EDT |
| Reporter | syncxxx Song |
Description
Dynamic Security Plugin is supported since Mosquitto 2.0, so this problem will affect version 2.0 and later.
Dynamic Security Plugin sets the default ACL type behaviours to:
- publishClientSend: deny\
- publishClientReceive: allow\
- subscribe: deny\
- unsubscribe: allow
Consider the following scenario:\
-
A tenant now have access to some topic like "message/state", and then he connect to broker with "cleanStart=False" and an enough "sessionInteval=10000"
-
The tenant subscribe the topic "message/state"
-
The tenant disconnect from the broker
-
Admin revoke the privilege from this tenant (subscribePattern message/state)
-
The tenant reconnect with "cleanStart=False" and his session will recover include subscription of "message/state" which means he doesn't need to send another "SUBSCRIBE" packet.
-
Because the default "publishClientReceive" is "allow", the tenant still can receive message from topic "message/state"
By the way, we can't update the default ACL with command like "mosquitto_ctrl dynsec setDefaultACLAccess publishClientSend deny" when the broker is running. This could be a bug.
Activity
By Roger Light
Wayne, could you please assign a CVE for this please?
Versions: 2.0 to 2.0.11
CWE-285: Improper Authorization
Description: When using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.added Security label
assigned to @mrybczyn
