FlashMQ MQTT Broker Division-by-Zero Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in FlashMQ, an MQTT broker, prior to version 1.26.1. The issue arises when a remote client with retained publish permission crashes the broker by exploiting the retained-message deferred write process. This exploitation requires the 'set_retained_message_defer_timeout' and 'set_retained_message_defer_timeout_spread' settings to be configured to non-default values. If anonymous retained publishing is permitted, no authentication is needed; otherwise, the attacker must have the appropriate publish rights.

Impact

Exploitation of this vulnerability leads to a division-by-zero error, causing the FlashMQ broker to crash and terminate the process, thereby disrupting service.

Reproduction

To reproduce this vulnerability, configure the FlashMQ broker with 'allow_anonymous' set to true, 'set_retained_message_defer_timeout' set to 100 milliseconds, and 'set_retained_message_defer_timeout_spread' set to 0. Once the broker is running with these settings, a remote client can publish retained messages that race against the broker's delivery of deferred retained messages. This can be automated with a script that simulates the publishing process, taking advantage of the timing to trigger the division-by-zero error.

Remediation

Users can upgrade to FlashMQ version 1.26.1, which addresses the division-by-zero crash in the deferred retained message handling. After updating, a configuration reload is required to apply the changes.