NanoMQ Access Control Bypass Vulnerability Allowing Unauthorized Access to Sensitive System Topics

A vulnerability in NanoMQ version 0.21.10 allows unauthorized MQTT clients to bypass access control restrictions and access sensitive system topic messages. This is achieved by exploiting the broker's logic in handling topic subscriptions and publications, particularly with wildcard characters. Despite access controls denying subscriptions to certain system topics, the broker incorrectly forwards messages to clients that should not have access, leading to unintended information disclosure.

Impact

Exploitation of this vulnerability allows unauthorized access to sensitive system topics that contain broker metadata, such as version information and details about connected clients. This information can be valuable for reconnaissance or targeted exploitation.

Reproduction

To reproduce this vulnerability, start NanoMQ with access control settings that restrict subscriptions to system topics. Then, connect a subscriber client using a user account that has these restrictions and subscribe to all topics. Next, publish a message to a non-system topic to trigger an internal update on a restricted $SYS topic. The subscriber will receive the message, demonstrating the access control bypass.