NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.5 have a Heap-Use-After-Free (UAF) vulnerability within the MQTT bridge client component (implemented via the underlying NanoNNG library). The vulnerability is triggered when NanoMQ acts as a bridge connecting to a remote MQTT broker. A malicious remote broker can trigger a crash (Denial of Service) or potential memory corruption by accepting the connection and immediately sending a malformed packet sequence. Version 0.34.5 contains a patch. The patch enforces stricter protocol adherence in the MQTT client SDK embedded in NanoMQ. Specifically, it ensures that CONNACK is always the first packet processed in the line. This prevents the state confusion that led to the Heap-Use-After-Free (UAF) when a malicious server sent a malformed packet sequence immediately after connection establishment. As a workaround, validate the remote broker before bridging.
NanoMQ MQTT Broker versions prior to 0.24.5 are vulnerable to a Heap-Use-After-Free (UAF) vulnerability, allowing a malicious remote MQTT broker to trigger a Denial of Service (DoS) or potentially remote code execution (RCE). This vulnerability arises from improper handling of malformed packet sequences during bridge client connections, leading to memory corruption. Successful exploitation could disrupt critical messaging infrastructure and compromise sensitive data.
Step 1: Connection Establishment: The vulnerable NanoMQ instance acts as a bridge, connecting to a remote, malicious MQTT broker. Step 2: Malformed Packet Sequence: The malicious broker immediately sends a malformed packet sequence to the NanoMQ bridge client, bypassing the expected CONNACK packet. Step 3: State Corruption: The NanoMQ client's internal state becomes corrupted due to the unexpected packet sequence. Step 4: Memory Corruption: When the client attempts to process subsequent packets, it accesses freed memory (Heap-Use-After-Free), leading to memory corruption. Step 5: Exploitation: This memory corruption can result in a crash (DoS) or, with careful crafting, potentially lead to arbitrary code execution.
The vulnerability stems from a Heap-Use-After-Free (UAF) condition within the NanoMQ MQTT bridge client, specifically within the NanoNNG library. The root cause lies in the MQTT client's failure to properly validate the incoming packet sequence from a remote MQTT broker. When a malicious broker sends a malformed packet sequence immediately after the connection is established (e.g., a packet other than CONNACK), the client's internal state becomes inconsistent. This leads to the use of freed memory when processing subsequent packets, resulting in a crash or potentially allowing for arbitrary code execution. The patch addresses this by enforcing stricter protocol adherence, ensuring that CONNACK is always the first packet processed, thus preventing the state confusion.