This Bugzilla instance closed for new bug entry. Eclipse projects now use GitHub or Eclipse GitLab. Please locate your project of interest with the Projects search tool to find the best location for that project's code and issues.
Bug 575314 (CVE-2021-41039) - Possible DoS Attack caused by unlimited number of "user properties" in Mosquitto Broker
Summary: Possible DoS Attack caused by unlimited number of "user properties" in Mosqui...
Status: CLOSED MOVED
Alias: CVE-2021-41039
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: All Linux
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-09 09:47 EDT by syncxxx Song CLA
Modified: 2021-12-23 06:47 EST (History)
2 users (show)

See Also:


Attachments
Proposed fix (1.04 KB, patch)
2021-08-10 15:49 EDT, Roger Light CLA
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description syncxxx Song CLA 2021-08-09 09:47:26 EDT
We have found a DOS attack which can be triggered by CONNECT packets which contain lots of "user properties". Then broker will parse all of them and store in a linked list. When checking for the uniqueness of “properties” in CONNECT packet, the linked list will traverse with O(n^2) complexity,

In our tests, it takes only 64KB per package to have an impact in our cloud server with 1 core(20 processes sending packages simultaneously). So it's only limited by max packet size.


# lib\property_mosq.c:186(property__read_all)

In this function, broker parse and store the properties include "user properties".

# lib\property_mosq.c:963(mosquitto_property_check_all)

int mosquitto_property_check_all(int command, const mosquitto_property *properties)
{

      ...
      ...

	while(p){

		...
                ...

		tail = p->next;
		while(tail){
			if(p->identifier == tail->identifier
					&& p->identifier != MQTT_PROP_USER_PROPERTY){

				return MOSQ_ERR_DUPLICATE_PROPERTY;
			}
			tail = tail->next;
		}

		p = p->next;
	}

	return MOSQ_ERR_SUCCESS;
}
Comment 1 Wayne Beaton CLA 2021-08-09 13:27:12 EDT
/cc project lead.

What versions does this impact?
Comment 2 syncxxx Song CLA 2021-08-09 18:48:36 EDT
We tested in version 2.0.11, and I think it effect any version before because there is no commit about this.
Comment 3 syncxxx Song CLA 2021-08-09 18:55:29 EDT
We tested in version 2.0.11, and I think it affects any version before because there is no commit about this. In addition.
(In reply to Wayne Beaton from comment #1)
> /cc project lead.
> 
> What versions does this impact?
Comment 4 Roger Light CLA 2021-08-10 15:49:41 EDT
Created attachment 286914 [details]
Proposed fix
Comment 5 Roger Light CLA 2021-08-10 15:50:23 EDT
Thanks for the report. Could you check whether the patch I just submitted works for you?
Comment 6 syncxxx Song CLA 2021-08-10 21:03:19 EDT
(In reply to Roger Light from comment #5)
> Thanks for the report. Could you check whether the patch I just submitted
> works for you?

Yeah, it works well. Thanks.
Comment 7 Roger Light CLA 2021-08-30 11:21:49 EDT
Wayne, could you assign a CVE for this please?

Versions 1.6 to 2.0.11
CWE-1050
An MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.
Comment 8 syncxxx Song CLA 2021-11-27 20:56:17 EST
(In reply to Roger Light from comment #7)
> Wayne, could you assign a CVE for this please?
> 
> Versions 1.6 to 2.0.11
> CWE-1050
> An MQTT v5 client connecting with a large number of user-property properties
> could cause excessive CPU usage, leading to a loss of performance and
> possible denial of service.

Thank you for your response.
Is it possible to register the requested CVE with our name and organization name (Zhanxiang Song, Bin Yuan, DeQing Zou, Hai Jin, Huazhong Univ. of Sci. & Tech.; Luyi Xing, IU; Yan Jia, Nankai University )?
Comment 9 Wayne Beaton CLA 2021-12-01 14:34:39 EST
I've assigned CVE-2021-41039 and have pushed the report to the central authority.

> Is it possible to register the requested CVE with our name and organization
> name (Zhanxiang Song, Bin Yuan, DeQing Zou, Hai Jin, Huazhong Univ. of Sci.
> & Tech.; Luyi Xing, IU; Yan Jia, Nankai University )?

I've added you all as a "credit" entry in the submission.
Comment 10 Frederic Gurr CLA 2021-12-23 06:47:58 EST
This issue has been migrated to https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/637.