This article is more than 1 year old
DoS vulns in 3 open-source MQTT message brokers could leave users literally locked out of their homes or offices
If your IoT kit employs RabbitMQ, EMQ X or VerneMQ, it's time to get patching
Synopsys Cybersecurity Research Centre (CyRC) has warned of easily triggered denial-of-service (DoS) vulnerabilities in three popular open-source Internet of Things message brokers: RabbitMQ, EMQ X, and VerneMQ.
The message brokers, responsible for handling data sent to or from IoT devices like smart home hubs and door locks, all share a common protocol: Message Queuing Telemetry Transport (MQTT), first released in 1999 for monitoring oil pipelines and since repurposed for a variety of home and industrial automation tasks. Any disruption in MQTT messaging could potentially leave users locked out of their homes and offices.
"Message brokers are software applications that serve as a messaging hub for complex systems," said Jonathan Knudsen, Synopsys senior security strategist responsible for discovering the vulnerabilities, in the public disclosure. "They provide reliable communication channels between different components, serving as the nerve center of a complex system. As such, message brokers can also be a central point of failure."
All three message brokers affected by Knudsen's discovery can be fooled into bloating their memory usage until they are terminated by the host operating system by sending them a specially crafted MQTT message. Once terminated, any IoT device on the network which relies on the MQTT message broker will be rendered inoperable.
"If the message broker dies, system components won't be able to communicate," Knudsen continued. "CVE-2021-22116, CVE-2021-33175, and CVE-2021-33176 are denial of service vulnerabilities in three popular open source message brokers. They give attackers the opportunity to disable the message brokers, a denial-of-service attack that could have serious consequences."
- ADT techie admits he peeked into women's home security cams thousands of times to watch them undress, have sex
- Q&A: Crypto-guru Bruce Schneier on teaching tech to lawmakers, plus privacy failures – and a call to techies to act
- Open-source bug bonanza: Vulnerabilities up almost 50 per cent thanks to people actually looking for them
- When software depends on a project thanklessly maintained by a random guy in Nebraska, is open source sustainable?
The precise details of the vulnerability differ from system to system. While all are triggered by a malicious MQTT message, the message has to be written specifically for the target message broker. Knudsen's research revealed three messages, each of which crashes a single message broker, but reported no luck in finding a single message capable of crashing all three – a small comfort to beleaguered system administrators.
Knudsen and CyRC privately disclosed the flaws to the project maintainers back in March, and all three have now been patched. RabbitMQ users are advised to upgrade to version 3.8.16 or above; EMQ X users to version 4.2.8 or above; and VerneMQ users to version 1.12.0 or above. ®