EMQ EMQX Enterprise Improper Access Control Vulnerability in Session Handling

A vulnerability exists in EMQ EMQX Enterprise versions through 6.1.0, where the session handling component improperly manages authorization by using the Client ID as the only session identifier, without linking it to the authenticated username. This flaw allows an authenticated attacker to disconnect a legitimate user by connecting with the same Client ID, leading to a denial-of-service condition. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by disrupting active MQTT sessions, particularly in multi-user or multi-tenant environments.

Reproduction

To reproduce this vulnerability, connect to an EMQX broker with a valid MQTT account and Client ID. Then, use another account to connect with the same Client ID, which will terminate the first connection. This can be automated with a provided Python script that simulates the attack.

Remediation

It is recommended to enforce a unique constraint that combines Client ID with username to prevent cross-user session interference. Additionally, consider adding a broker configuration option to bind Client IDs to specific users.