Roger Light

**Nome do software vulnerável e versões afetadas: Eclipse Mosquitto, versões 2.0.0 a 2.0.9 Descrição: O problema ocorre quando um cliente autenticado conectado via MQTT v5 envia uma mensagem CONNACK manipulada ao broker, resultando em uma desreferência de ponteiro NULL. Recomendações: Para as versões 2.0.0 a 2.0.9 do Eclipse Mosquitto, considere restringir o uso de conexões MQTT v5 até que um patch esteja disponível. Como solução temporária, evite permitir que os clientes enviem mensagens CONNACK manipuladas ao broker. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Eclipse Mosquitto versions 1.5.0 through 1.6.5 **Description** The issue is related to insufficient exception state checking, which can be exploited by a remote attacker to cause a denial of service. This can happen when a malicious MQTT client sends a SUBSCRIBE packet containing a topic with approximately 65400 or more '/' characters, leading to a stack overflow. **Recommendations** For Eclipse Mosquitto versions 1.5.0 through 1.6.5, consider restricting the length of topics in SUBSCRIBE packets to prevent stack overflows until a patch is available. As a temporary workaround, restrict access to the SUBSCRIBE functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Eclipse Mosquitto versions 1.6.0 through 1.6.4 **Description** A use after free error occurs when an MQTT v5 client connects to the affected Eclipse Mosquitto versions, sets a last will and testament, a will delay interval, and a session expiry interval, where the will delay interval is longer than the session expiry interval. This error has the potential to cause a crash in certain situations. **Recommendations** For Eclipse Mosquitto versions 1.6.0 through 1.6.4, ensure that the will delay interval is not set longer than the session expiry interval to prevent the use after free error. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Eclipse Mosquitto versions 1.5 through 1.5.2 **Description** The issue occurs when a message is published to Mosquitto with a topic starting with $, but not $SYS, causing an assert to be triggered and Mosquitto to exit. **Recommendations** For Eclipse Mosquitto versions 1.5 through 1.5.2, avoid publishing messages with topics starting with $, except for $SYS topics, until a fix is available.

**Name of the Vulnerable Software and Affected Versions** Eclipse Mosquitto version 1.4.14 **Description** The issue occurs when a Mosquitto instance is running with a configuration file and a HUP signal is sent to the server, triggering a configuration reload from disk. If there are numerous clients connected, exhausting the available file descriptors/sockets (typically 1024 on Linux), the configuration file cannot be opened. **Recommendations** For Eclipse Mosquitto version 1.4.14, consider increasing the file descriptor limit to prevent exhaustion when numerous clients are connected, or implement a mechanism to handle the reload of the configuration file without requiring additional file descriptors. As a temporary workaround, consider restricting the number of clients that can connect to the server to prevent file descriptor exhaustion when the configuration is reloaded.