CVE-2023-28366

mosquitto: memory leak leads to unresponsive broker

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.

El intermediario en Eclipse Mosquitto 1.3.2 hasta 2.x anterior a 2.0.16 tiene una pérdida de memoria de la que se puede abusar de forma remota cuando un cliente envía muchos mensajes QoS 2 con ID de mensajes duplicados y no responde a los comandos PUBREC. Esto ocurre debido a un mal manejo de EAGAIN desde la función de envío de libc.

A memory leak vulnerability was found in Eclipse Mosquitto. This issue is triggered by malicious initial packets or certain client actions and may allow a remote attacker to the deplete system resources causing memory exhaustion, leading to a disruption in services and a denial of service condition.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-03-15 CVE Reserved
2023-09-01 CVE Published
2024-08-02 CVE Updated
2024-10-03 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-401: Missing Release of Memory after Effective Lifetime

CAPEC

References (9)

URL	Tag	Source
https://github.com/eclipse/mosquitto/compare/v2.0.15...v2.0.16	Release Notes
https://mosquitto.org/blog/2023/08/version-2-0-16-released	Release Notes
https://www.compass-security.com/fileadmin/Research/Advisories/2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9	2024-01-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X	2024-01-07
https://security.gentoo.org/glsa/202401-09	2024-01-07
https://www.debian.org/security/2023/dsa-5511	2024-01-07
https://access.redhat.com/security/cve/CVE-2023-28366	2024-02-29
https://bugzilla.redhat.com/show_bug.cgi?id=2236882	2024-02-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Eclipse Search vendor "Eclipse"		Mosquitto Search vendor "Eclipse" for product "Mosquitto"				>= 1.3.2 < 2.0.16 Search vendor "Eclipse" for product "Mosquitto" and version " >= 1.3.2 < 2.0.16"		-		Affected