Redboltz async_mqtt Use-After-Free Vulnerability in Endpoint Destructors Causes Denial-of-Service

A use-after-free vulnerability has been identified in Redboltz async_mqtt version 10.2.5. This issue arises in the endpoint destructors, where an incorrect destruction order between 'io_context' and endpoint objects leads to a heap-use-after-free error. The vulnerability allows local users to cause a denial-of-service by triggering SSL initialization failures, which disrupt the proper cleanup sequence of related objects.

Impact

Exploitation of this vulnerability causes a heap-use-after-free error, leading to memory corruption issues that can be exploited to cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by building the async_mqtt broker with AddressSanitizer enabled, which detects memory safety issues. After compiling the broker with the appropriate flags to enable error detection, run the broker with a configuration that simulates SSL/TLS initialization failures. This can be done by injecting faults into the OpenSSL library to create certificate loading errors or invalid key scenarios. During the broker's shutdown process, AddressSanitizer will report the heap-use-after-free error, indicating that the vulnerability has been successfully triggered.

Remediation

Users can update to the latest version of Redboltz async_mqtt, where this vulnerability has been fixed.