This Bugzilla instance closed for new bug entry. Eclipse projects now use GitHub or Eclipse GitLab. Please locate your project of interest with the Projects search tool to find the best location for that project's code and issues.
Bug 532113 (CVE-2017-7653) - CVE-2017-7653: Eclipse Mosquitto does not validate topic strings
Summary: CVE-2017-7653: Eclipse Mosquitto does not validate topic strings
Status: RESOLVED FIXED
Alias: CVE-2017-7653
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: PC Mac OS X
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2018-03-07 07:56 EST by Ian Craggs CLA
Modified: 2019-01-23 18:21 EST (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Craggs CLA 2018-03-07 07:56:09 EST
A potential vulnerability has been reported to the MQTT OASIS Technical Committee for Eclipse Mosquitto.

Topic strings in MQTT are defined to be UTF-8.  The Eclipse Paho java client validates these topic strings.  If an invalid UTF-8 byte is received in the topic string, the connection is terminated, which is a common action in MQTT 3.1.1 for protocol errors.

Mosquitto does not validate the topic string to check that it conforms to UTF-8.  If many client applications that do validate the topic strings are connected and subscribed to a wild carded topic, it is possible for a malicious publisher client to send a message to a topic string with incorrectly formatted UTF-8, causing all the receiving client applications to disconnect.

Eclipse Mosquitto should validate the topic strings and not forward any messages with invalid UTF-8 topics.  In general an MQTT server should perform as much validation, and often more, than clients.
Comment 1 Ian Craggs CLA 2018-03-07 08:13:02 EST
I'm told that the reporter intends to go public with this information in April or May.  I can confirm a more specific date if that's relevant.

The Paho C client does include some validation code, which might be useful.

https://github.com/eclipse/paho.mqtt.c/blob/master/src/utf-8.c
Comment 2 Jens Reimann CLA 2018-03-07 09:07:34 EST
Do you want to have a CVE ID assigned?
Comment 3 Ian Craggs CLA 2018-03-07 09:36:31 EST
I think Roger has agreed that a CVE is warranted, but I'll let him confirm.
Comment 4 Roger Light CLA 2018-04-16 17:10:22 EDT
I would appreciate a CVE assigned for this. There's no use hiding it!

CVSS v2: 3.5 https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:N/A:P)

CVSS v3: 4.3
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Comment 5 Wayne Beaton CLA 2018-05-30 10:30:33 EDT
To register the CVE, I need a single paragraph description and a CWE [1]. Can you provide that please?
Comment 6 Roger Light CLA 2018-05-31 17:25:25 EDT
Description: The Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and so cause a denial of service for the clients.

CWE: http://cwe.mitre.org/data/definitions/20.html
Comment 7 Wayne Beaton CLA 2018-06-01 13:13:24 EDT
I've created a pull request against the CVE List.

https://github.com/CVEProject/cvelist/pull/552
Comment 8 Wayne Beaton CLA 2018-06-01 16:01:08 EDT
(In reply to Ian Craggs from comment #1)
> I'm told that the reporter intends to go public with this information in
> April or May.  I can confirm a more specific date if that's relevant.

I missed a step. As part of the disclosure to CNA, I need to remove the committer-only flag and make this visible to the public. Can we do this now, or is there a timing issue?
Comment 9 Wayne Beaton CLA 2018-06-05 14:24:34 EDT
(In reply to Wayne Beaton from comment #8)
> I missed a step. As part of the disclosure to CNA, I need to remove the
> committer-only flag and make this visible to the public. Can we do this now,
> or is there a timing issue?

I'm assuming that disclosure is okay and am removing the committer-only restriction.