NanoMQ MQTT Broker Shared Subscription Validation Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in NanoMQ MQTT Broker version 0.24.6, stemming from improper validation of shared subscription topics. When a malformed SUBSCRIBE topic is created, the broker fails to enforce strict validation, allowing invalid topics to be stored in the subscription table. This flaw becomes apparent when a PUBLISH message matches the malformed subscription, triggering a crash in the broker. The issue arises because the broker's send path increments a pointer derived from the subscription topic without checking for NULL values, potentially leading to a segmentation fault.

Impact

Exploitation of this vulnerability causes a stable crash of the NanoMQ broker, triggered by a segmentation fault. This crash can be consistently replicated by publishing to a topic that matches a previously subscribed shared topic, which was incorrectly formatted and not properly validated.

Reproduction

To reproduce this vulnerability, first create a malformed shared subscription by subscribing to a topic like '$share/ab' (missing the second '/'). This can be done using the 'mosquitto_sub' command from the Mosquitto client tools. After the subscription is established, publish a message to a topic that matches the malformed subscription. The broker will crash, demonstrating the vulnerability.

Remediation

Users are advised to update to NanoMQ version 0.24.7, where this vulnerability has been patched.