This article is more than 1 year old

DoS vulns in 3 open-source MQTT message brokers could leave users literally locked out of their homes or offices

If your IoT kit employs RabbitMQ, EMQ X or VerneMQ, it's time to get patching

Synopsys Cybersecurity Research Centre (CyRC) has warned of easily triggered denial-of-service (DoS) vulnerabilities in three popular open-source Internet of Things message brokers: RabbitMQ, EMQ X, and VerneMQ.

The message brokers, responsible for handling data sent to or from IoT devices like smart home hubs and door locks, all share a common protocol: Message Queuing Telemetry Transport (MQTT), first released in 1999 for monitoring oil pipelines and since repurposed for a variety of home and industrial automation tasks. Any disruption in MQTT messaging could potentially leave users locked out of their homes and offices.

"Message brokers are software applications that serve as a messaging hub for complex systems," said Jonathan Knudsen, Synopsys senior security strategist responsible for discovering the vulnerabilities, in the public disclosure. "They provide reliable communication channels between different components, serving as the nerve center of a complex system. As such, message brokers can also be a central point of failure."

All three message brokers affected by Knudsen's discovery can be fooled into bloating their memory usage until they are terminated by the host operating system by sending them a specially crafted MQTT message. Once terminated, any IoT device on the network which relies on the MQTT message broker will be rendered inoperable.

"If the message broker dies, system components won't be able to communicate," Knudsen continued. "CVE-2021-22116, CVE-2021-33175, and CVE-2021-33176 are denial of service vulnerabilities in three popular open source message brokers. They give attackers the opportunity to disable the message brokers, a denial-of-service attack that could have serious consequences."

The precise details of the vulnerability differ from system to system. While all are triggered by a malicious MQTT message, the message has to be written specifically for the target message broker. Knudsen's research revealed three messages, each of which crashes a single message broker, but reported no luck in finding a single message capable of crashing all three – a small comfort to beleaguered system administrators.

Knudsen and CyRC privately disclosed the flaws to the project maintainers back in March, and all three have now been patched. RabbitMQ users are advised to upgrade to version 3.8.16 or above; EMQ X users to version 4.2.8 or above; and VerneMQ users to version 1.12.0 or above. ®

More about


Send us news

Other stories you might like