Vulnerability in client ID that can lead to DDoS attacks on devices in Mosquitto

Received on the security mailing list.

Basic information

Project name: Eclipse Mosquitto

Project id: iot.mosquitto

What are the affected versions?

2.0.20

Hello,

I'm using version 2.0.20 of the mosquitto package installed directly on my Kali Linux and I've verified that if two clients subscribe to a topic by sending the same client id (even when using different credentials and one of these clients doesn't even have permission to subscribe to the topic in question according to the aclfile) the Broker keeps disconnecting both sessions in an infinite loop.

From a security point of view, this can cause DDoS attacks on the legitimate device, since the device with the original session will continue trying to reestablish its connection (and will continue to receive packets with the retain tag present in the topic in question once the session is reestabilished) and can result in the loss of packets that were sent to this topic without the retain tag if the message is sent during a time when the legitimate device has been disconnected because of this.

I didn't find a CVE that detailed this problem, so I decided to send it through this channel.

Thank you in advance.