Bug 25728 - mosquitto new security issue CVE-2019-11779
Summary: mosquitto new security issue CVE-2019-11779
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
: 25902 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-11-23 17:19 CET by David Walser
Modified: 2019-12-21 02:24 CET (History)
5 users (show)

See Also:
Source RPM: mosquitto-1.6.0-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-11-23 17:19:39 CET 
Debian has issued an advisory on November 17:
https://www.debian.org/security/2019/dsa-4570

The issue is fixed upstream in 1.6.6.
Comment 1 David GEIGER 2019-11-23 17:36:34 CET 
Done!

CC: (none) => geiger.david68210

Comment 2 David Walser 2019-11-23 17:47:36 CET 
Advisory:
========================

Updated mosquitto packages fix security vulnerability:

A vulnerability was discovered in mosquitto, allowing a malicious MQTT client
to cause a denial of service (stack overflow and daemon crash), by sending a
specially crafted SUBSCRIBE packet containing a topic with a extremely deep
hierarchy (CVE-2019-11779).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11779
https://www.debian.org/security/2019/dsa-4570
========================

Updated packages in core/updates_testing:
========================
mosquitto-1.6.6-1.mga7
libmosquitto1-1.6.6-1.mga7
libmosquittopp1-1.6.6-1.mga7
libmosquitto-devel-1.6.6-1.mga7

from mosquitto-1.6.6-1.mga7.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 Len Lawrence 2019-11-28 00:54:22 CET 
Mageia 7, x86_64.

Starting to explore this, before updating.  Discovered that MQTT is an important packet protocol in the IOT.  See http://www.steves-internet-guide.com/mqtt/.
Downloaded the example mclient.py client module and a sample script to compose a packet.
Started the MQTT broker on the local machine (it is an /sbin command):

$ sudo mosquitto -d
Ran the sample script to send the packet through port 1883 (I think) but don't know how to interrogate the broker to see what is happening.  Wireshark is mentioned for inspecting packets but again I know little about wireshark or exactly how to find the sent packet.
$ cat client.py

import mclient as mqtt                       # import the client1
broker_address = "192.168.1.62" 
#broker_address="iot.eclipse.org"            # use external broker
client = mqtt.Client( "P1" )                 # create new instance
client.connect( broker_address )             # connect to broker
client.publish( "house/main-light", "OFF" )  # publish

$ python client.py
('length of packet is', 16)
('sending command ', '0x10', ' sending flags =', 0)
('sending ', bytearray(b'\x10\x0e\x00\x04MQTT\x04\x02\x00<\x00\x02P1'))
('length of packet is', 23)
('sending command ', '0x30', ' sending flags =', 0)
('sending ', bytearray(b'0\x15\x00\x10house/main-lightOFF'))

Leaving it there for now.  Updating later.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2019-11-28 12:24:10 CET 
Continuing from comment 3:
Updated the four packages.
Had a look at mosquitto.conf, which runs to 956 lines, and changed a few of the entries from the defaults.  The man pages contain several entries for mosquitto, which contain a lot of information.  It would be a career job to absorb all that information.

$ sudo systemctl start vnstat

Started the mosquitto server

$ sudo mosquitto -d
$ python client.py

('length of packet is', 16)
('sending command ', '0x10', ' sending flags =', 0)
('sending ', bytearray(b'\x10\x0e\x00\x04MQTT\x04\x02\x00<\x00\x02P1'))
('length of packet is', 23)
('sending command ', '0x30', ' sending flags =', 0)
('sending ', bytearray(b'0\x15\x00\x10house/main-lightOFF'))

Started vnstat in a terminal

$ vnstat -5 0

 enp0s31f6  /  5 minute

         time        rx      |     tx      |    total    |   avg. rate
     ------------------------+-------------+-------------+---------------
     2019-11-28
         10:50      9.82 MiB |  147.47 KiB |    9.96 MiB |  278.62 kbit/s
         10:55      1.43 MiB |  174.02 KiB |    1.60 MiB |   44.60 kbit/s
         11:00      4.82 KiB |    1.69 KiB |    6.51 KiB |      888 bit/s
     ------------------------+-------------+-------------+---------------

The last transaction looks like it might be the packet just sent; the time is correct and the small size seems significant.

These are extremely elementary tests, all in the local loop, but at least they run and do not break.

Giving this the 64-bit OK.

Whiteboard: (none) => MGA7-64-OK

Comment 5 Len Lawrence 2019-11-28 12:38:23 CET 
A PoC for this could be generated but it involves a subscription packet containing more than 65400 '/' topic separators.  Might try it sometime.
Comment 6 Len Lawrence 2019-11-28 12:47:30 CET 
And a correction.  The vnstat entries are a summary of total traffic over five minute intervals so the entry does not necessarily identify the MQTT packet.  It really needs something like wireshark.
Comment 7 Thomas Andrews 2019-11-29 01:18:55 CET 
Better than anything I could do, Len. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-11-30 12:11:10 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 8 Mageia Robot 2019-11-30 14:07:51 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0345.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2019-12-21 02:24:37 CET 
*** Bug 25902 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.