NanoMQ MQTT Broker Out-of-Bounds Read Vulnerability in Variable Byte Integer Parsing
Vulnerability
A heap-buffer-overflow vulnerability has been identified in NanoMQ MQTT Broker versions through 0.24.6. The issue arises in the MQTT v5 Variable Byte Integer parsing, where the function 'get_var_integer()' improperly accepts 5-byte varints without adequate bounds checking. This flaw can be exploited to trigger an out-of-bounds read and crash the application, particularly when NanoMQ is built with AddressSanitizer (ASan) enabled.
Impact
Exploitation of this vulnerability leads to a heap-buffer-overflow, causing a crash and potentially allowing for memory corruption.
Reproduction
The vulnerability can be reproduced by building NanoMQ with ASan enabled, using CMake. After compiling the broker, a malformed MQTT CONNECT packet can be sent to the broker. The crafted packet should include a Properties Length field that exploits the parsing logic by introducing a 5-byte varint, which the broker incorrectly processes, leading to an out-of-bounds read.
Remediation
Users are advised to update to the latest version of NanoMQ where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.