NanoMQ MQTT Broker Use-After-Free Vulnerability in Subscriptions Prior to 0.24.2

A use-after-free vulnerability has been identified in NanoMQ MQTT Broker versions prior to 0.24.2. This issue arises from a data race condition related to the subscription information list, which can lead to a heap-based use-after-free crash. The vulnerability can be exploited by sending crafted MQTT messages that manipulate the subscription process, causing the broker to crash.

Impact

Exploitation of this vulnerability causes a heap use-after-free condition, leading to a crash of the NanoMQ broker. However, this type of vulnerability can often be exploited to execute arbitrary code under certain conditions.

Reproduction

The vulnerability can be reproduced by sending a specific sequence of MQTT messages that create a data race in the subscription management. This can be done using a network tool or script that sends messages to the NanoMQ broker at a high frequency, overlapping the subscription and unsubscription processes. The broker will crash after processing these messages, although the crash may occur with different stack traces each time, due to the nature of the data race.

Remediation

Users can upgrade to NanoMQ version 0.24.4 or later, where this vulnerability has been fixed. In the meantime, it is recommended to limit the rate of subscription and unsubscription requests, as high concurrency can trigger the issue.