CVE-2020-13849

Name of the Vulnerable Software and Affected Versions MQTT protocol version 3.1.1

Description The issue allows remote attackers to cause a denial of service, resulting in the loss of the ability to establish new connections. This is demonstrated by SlowITe, which exploits the requirement for a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client.

Recommendations For MQTT protocol version 3.1.1, consider implementing measures to prevent abuse of the Keep-Alive value, such as limiting the maximum Keep-Alive value that can be specified by clients or implementing rate limiting on new connections. As a temporary workaround, consider restricting the ability of clients to specify high Keep-Alive values until a more permanent solution is available.