CocoaMQTT Denial-of-Service Vulnerability in Packet Parsing Logic

A denial-of-service vulnerability has been identified in CocoaMQTT, a MQTT 5.0 client library for iOS and macOS, prior to version 2.2.2. The issue arises in the packet parsing logic, where an attacker or a compromised MQTT broker can remotely crash the host application. This is achieved by publishing a 4-byte malformed payload to a shared topic with the RETAIN flag set to true. The MQTT broker persists this payload, and when a vulnerable client subscribes to the topic, the broker automatically pushes the malformed packet, causing the application to crash in the background. This effectively 'bricks' the mobile application, creating a persistent denial-of-service condition until the retained message is manually removed from the broker's database.

Impact

Exploitation of this vulnerability leads to a remote crash of the application, causing a persistent denial-of-service condition until the retained message is manually deleted from the broker's database.

Reproduction

To reproduce this vulnerability, publish a 4-byte malformed payload, such as one that includes a topic length of zero, to a shared topic with the RETAIN flag set to true. Once the payload is retained by the broker, any vulnerable client that subscribes to the topic will receive the malformed packet, causing the application to crash.

Remediation

Users can upgrade to CocoaMQTT version 2.2.2 or later to address this vulnerability.