Source: security-advisories@github.com
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.5 have a Heap-Use-After-Free (UAF) vulnerability within the MQTT bridge client component (implemented via the underlying NanoNNG library). The vulnerability is triggered when NanoMQ acts as a bridge connecting to a remote MQTT broker. A malicious remote broker can trigger a crash (Denial of Service) or potential memory corruption by accepting the connection and immediately sending a malformed packet sequence. Version 0.34.5 contains a patch. The patch enforces stricter protocol adherence in the MQTT client SDK embedded in NanoMQ. Specifically, it ensures that CONNACK is always the first packet processed in the line. This prevents the state confusion that led to the Heap-Use-After-Free (UAF) when a malicious server sent a malformed packet sequence immediately after connection establishment. As a workaround, validate the remote broker before bridging.
NanoMQ MQTT Broker versions prior to 0.24.5 are vulnerable to a Heap-Use-After-Free (UAF) vulnerability, allowing a malicious remote MQTT broker to trigger a Denial of Service (DoS) or potentially remote code execution (RCE). This vulnerability arises from improper handling of malformed packet sequences during bridge client connections, leading to memory corruption. Successful exploitation could disrupt critical messaging infrastructure and compromise sensitive data.
Step 1: Connection Establishment: The vulnerable NanoMQ instance acts as a bridge, connecting to a remote, malicious MQTT broker. Step 2: Malformed Packet Sequence: The malicious broker immediately sends a malformed packet sequence to the NanoMQ bridge client, bypassing the expected CONNACK packet. Step 3: State Corruption: The NanoMQ client's internal state becomes corrupted due to the unexpected packet sequence. Step 4: Memory Corruption: When the client attempts to process subsequent packets, it accesses freed memory (Heap-Use-After-Free), leading to memory corruption. Step 5: Exploitation: This memory corruption can result in a crash (DoS) or, with careful crafting, potentially lead to arbitrary code execution.
The vulnerability stems from a Heap-Use-After-Free (UAF) condition within the NanoMQ MQTT bridge client, specifically within the NanoNNG library. The root cause lies in the MQTT client's failure to properly validate the incoming packet sequence from a remote MQTT broker. When a malicious broker sends a malformed packet sequence immediately after the connection is established (e.g., a packet other than CONNACK), the client's internal state becomes inconsistent. This leads to the use of freed memory when processing subsequent packets, resulting in a crash or potentially allowing for arbitrary code execution. The patch addresses this by enforcing stricter protocol adherence, ensuring that CONNACK is always the first packet processed, thus preventing the state confusion.
While no specific APT groups are directly linked to exploiting this vulnerability, the potential for DoS and RCE makes it attractive to various threat actors. Given the critical role of MQTT brokers in IoT and industrial control systems (ICS), exploitation could have significant impact. CISA KEV status: Not Listed.
Monitor network traffic for unusual MQTT packet sequences, particularly those deviating from the standard connection handshake.
Analyze MQTT bridge client logs for error messages or unexpected behavior related to packet processing.
Implement intrusion detection systems (IDS) with rules to identify malformed MQTT packets.
Monitor system resource usage (CPU, memory) for spikes or unusual patterns that may indicate exploitation.
Review bridge client configuration for any unnecessary or overly permissive settings.
Upgrade NanoMQ to version 0.24.5 or later to patch the vulnerability.
If upgrading is not immediately possible, validate the remote broker before bridging to it. This can involve checking the broker's identity and reputation.
Implement network segmentation to isolate the MQTT broker from untrusted networks.
Regularly review and update security configurations for the MQTT broker and underlying systems.
Monitor the system for any signs of compromise or unusual activity.