NanoMQ MQTT Broker Type Confusion Vulnerability in QUIC Dialer Close Process

A type confusion vulnerability has been identified in NanoMQ MQTT Broker versions prior to 0.24.14. During the dialing process, the asynchronous input/output operation's provisional data is incorrectly stored as a pointer to a QUIC connection, but is read as a pointer to an exclusive QUIC connection when closing the dialer. This mismatch leads to improper interpretation of the object, causing the process to hang or crash. The issue can be reproduced by allocating an asynchronous operation, dialing a stream using a dialer, and then closing the dialer while the operation is still pending, which triggers the type confusion and results in a hang due to the incorrect object interpretation.

Impact

Exploitation of this vulnerability causes the process to hang, simulating a denial-of-service condition. However, depending on the memory layout and timing, it could potentially lead to a crash.

Reproduction

The vulnerability can be reproduced by using a C program that includes the NanoMQ libraries. The program should allocate an asynchronous operation, set a timeout, and then use a stream dialer to connect to a QUIC MQTT broker. After the connection is established, the dialer can be closed, which will trigger the type confusion vulnerability. The program should be compiled with AddressSanitizer enabled, using a specific build of the NanoMQ project that includes the QUIC functionality. When the compiled program is run, it will hang indefinitely after closing the dialer, due to the incorrect handling of the QUIC connection data.

Remediation

Users are advised to upgrade to NanoMQ version 0.24.14 or later, where this vulnerability has been fixed.