Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-41039: 575314 – (CVE-2021-41039) Possible DoS Attack caused by unlimited number of "user properties" in Mosquitto Broker

In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.

CVE
Open in Source
#web#dos

Description syncxxx Song CLA Friend 2021-08-09 09:47:26 EDT

We have found a DOS attack which can be triggered by CONNECT packets which contain lots of "user properties". Then broker will parse all of them and store in a linked list. When checking for the uniqueness of “properties” in CONNECT packet, the linked list will traverse with O(n^2) complexity,

In our tests, it takes only 64KB per package to have an impact in our cloud server with 1 core(20 processes sending packages simultaneously). So it’s only limited by max packet size.

lib\property_mosq.c:186(property__read_all)

In this function, broker parse and store the properties include "user properties".

lib\property_mosq.c:963(mosquitto_property_check_all)

int mosquitto_property_check_all(int command, const mosquitto_property *properties) {

  ...
  ...

while(p){

    ...
            ...

    tail = p->next;
    while(tail){
        if(p->identifier == tail->identifier
                && p->identifier != MQTT\_PROP\_USER\_PROPERTY){

            return MOSQ\_ERR\_DUPLICATE\_PROPERTY;
        }
        tail = tail->next;
    }

    p = p->next;
}

return MOSQ\_ERR\_SUCCESS;

}

Comment 1 Wayne Beaton CLA Friend 2021-08-09 13:27:12 EDT

/cc project lead.

What versions does this impact?

Comment 2 syncxxx Song CLA Friend 2021-08-09 18:48:36 EDT

We tested in version 2.0.11, and I think it effect any version before because there is no commit about this.

Comment 3 syncxxx Song CLA Friend 2021-08-09 18:55:29 EDT

We tested in version 2.0.11, and I think it affects any version before because there is no commit about this. In addition. (In reply to Wayne Beaton from comment #1) > /cc project lead.

What versions does this impact?

Comment 5 Roger Light CLA Friend 2021-08-10 15:50:23 EDT

Thanks for the report. Could you check whether the patch I just submitted works for you?

Comment 6 syncxxx Song CLA Friend 2021-08-10 21:03:19 EDT

(In reply to Roger Light from comment #5) > Thanks for the report. Could you check whether the patch I just submitted

works for you?

Yeah, it works well. Thanks.

Comment 7 Roger Light CLA Friend 2021-08-30 11:21:49 EDT

Wayne, could you assign a CVE for this please?

Versions 1.6 to 2.0.11 CWE-1050 An MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.

Comment 8 syncxxx Song CLA Friend 2021-11-27 20:56:17 EST

(In reply to Roger Light from comment #7) > Wayne, could you assign a CVE for this please?

Versions 1.6 to 2.0.11 CWE-1050 An MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.

Thank you for your response. Is it possible to register the requested CVE with our name and organization name (Zhanxiang Song, Bin Yuan, DeQing Zou, Hai Jin, Huazhong Univ. of Sci. & Tech.; Luyi Xing, IU; Yan Jia, Nankai University )?

Comment 9 Wayne Beaton CLA Friend 2021-12-01 14:34:39 EST

I’ve assigned CVE-2021-41039 and have pushed the report to the central authority.

> Is it possible to register the requested CVE with our name and organization

name (Zhanxiang Song, Bin Yuan, DeQing Zou, Hai Jin, Huazhong Univ. of Sci. & Tech.; Luyi Xing, IU; Yan Jia, Nankai University )?

I’ve added you all as a “credit” entry in the submission.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE