Debian Security Update Fixed 5 Mosquitto Vulnerabilities
The Debian team has recently released a security update addressing five vulnerabilities discovered in Mosquitto, which is an open-source MQTT-compatible message broker. These vulnerabilities have the potential to cause denial of service when exploited.
Here, we will discuss the CVEs, severity score, causes, and risks of the mosquitto vulnerabilities.
Five Mosquitto Vulnerabilities Patched
CVE-2021-34434
CVSS 3.x Score: 5.3 Medium
When using the dynamic security plugin in Eclipse Mosquitto, if a client loses the ability to subscribe to a topic when a durable client is offline, any existing subscriptions for that client are not revoked.
CVE-2023-0809
CVSS 3.x Score: Not Analyzed by NVD
It was found that excessive memory is allocated in Mosquitto before 2.0.16 based on malicious initial packets that are not CONNECT packets.
CVE-2023-3592
CVSS 3.x Score: 5.8 Medium
A memory leak issue was discovered in Mosquitto when clients send v5 CONNECT packets with a will message that contains invalid property types.
CVE-2023-28366
CVSS 3.x Score: 7.5 High
The broker in Mosquitto contained a memory leak vulnerability that can be exploited remotely when a client sends multiple Q0S 2 messages with duplicate message IDs and fails to respond to PUBREC commands. The issue arises due to the mishandling of EAGAIN errors from the libc send function.
CVE-2021-41039
CVSS 3.x Score: 7.5 High
A flaw was identified when an MQTT v5 client connected with many user-property properties and caused excessive CPU usage, resulting in performance loss and potential DoS attacks.
In the old stable distribution (bullseye), these issues have been resolved in version 2.0.11-1+deb11u1, and in the stable distribution (bookworm), these issues have been addressed in version 2.0.11-1.2+deb12u1. It is highly recommended to upgrade your mosquitto packages to fix the mosquitto vulnerabilities and prevent the associated security risk.
The sources for this article can be found on Debian Security Advisory.