Mosquitto: Memory leaks
Basic information
Project name: Eclipse Mosquitto
Project id: iot.mosquitto
What are the affected versions?
2.0.18
We have not checked previous versions.
Details of the issue
We have found memory leaks on Mosquitto 2.0.18.
This vulnerability can be triggered by sending a specific sequence of the following packets:
CONNECT
SUBSCRIBE
UNSUBSCRIBE
We attach the ASan stack trace of the vulnerability as well as the hex-encoded bytes of the packets ("%x" is used as a hex prefix).
Steps to reproduce
Run the attached replay_mqtt_finding.py script against a Mosquitto 2.0.18 broker which has been instrumented with ASan (AddressSanitizer).
Do you know any mitigations of the issue?
No.
Credit request
If you assign a CVE, is it possible to register the requested CVE with our names and organization name? We are Roman Kraus, Steffen Lüdtke, Martin Schneider and Ramon Barakat of Fraunhofer FOKUS.
Best regards,
Roman Kraus
Relates to
Activity
@romankrausfokus Thank you for the report!
@rlight Could you check this vulnerabilty please?
assigned to @rlight
Hello, we wanted to inform you that we failed to produce this finding on the current 'develop' branch of Mosquitto. Nevertheless, a CVE might still be advised, as the most recent release (2.0.18) appears vulnerable to our finding. If you need further details or help from our side, please let us know.
Thank you very much for the report, and for #217 (closed) as well. Both issues are a manifestation of the same bug, and I have a fix for it. I believe it should have a CVE. @tiagolucas, could we please have one assigned?
Hello @rlight and @tiagolucas, we wanted to inform you that we consider registering the CVE by ourselves next week as the process appears to be stuck here. If we could support you in registering, please let us know. Otherwise, we would make concrete plans to register it ourselves.
@romankrausfokus, thank you for your patience. We will get you a CVE number.
@rlight, To prepare for publication, we will need your help with filling the required information in the CVE assignment ticket that I created at https://gitlab.eclipse.org/security/cve-assignement/-/issues/36
Thanks!
Edited by Mikaël Barbero@romankrausfokus,
we will useCVE-2024-9288for this issue.My guess is that we will want to use the same CVE this ticket and for:
Correct?
Edited by Mikaël Barberomy bad, there is already cve-assignement#26 (closed) created for the CVE reservation.
CVE-2024-8376will be used for this.Hello @mbarbero, thank you for the updates! And yes, as far as I understood @rlight both #216 (closed) and #227 (closed) relate to the same bug as this report. The same also seems to apply to #217 (closed).
Thanks! That is my understanding as well. We will need @rlight feedback to write down the CVE summary and fields (e.g. where are the commits that fix the vulnerability, and which release(s) contain it).
Of course, the requested credits will be given in the CVE report.
Edited by Mikaël Barbero
You are welcome! We wanted to inform you that we have also found a segmentation fault which we have not reported yet. I would finalize the report and upload it as soon as possible. Thus, you could consider its relation to the other findings.
And just to make sure: Is #216 (closed) also a manifestation of the same bug?
@romankrausfokus Excellent, thank you. #216 (closed) is also the same bug.
@rlight You are welcome and thank you for the confirmation. I just created the report for the segmentation fault. You can find it at #227 (closed).
@tiagolucas Can I have access to #227 (closed) please?
mentioned in issue cve-assignement#26 (closed)
added cvereserved label
added vulnerabilityconfirmed label
marked this issue as related to cve-assignement#26 (closed)
added statusawaiting_project label
marked this issue as related to #216 (closed)
marked this issue as related to #217 (closed)
marked this issue as related to #227 (closed)
mentioned in issue #227 (closed)
mentioned in issue #217 (closed)
mentioned in issue #216 (closed)
removed statusawaiting_project label
added resolutionfixed label
