The vulnerable code exists in the Dashboard creation and deletion processes. Attackers can leverage this vulnerability to hijack users’ dashboards or perform other actions on their behalf. MQTTRoute routes are accessed via an application/x-www-form-urlencoded endpoint. All requests are protected by basic authentication. In versions 3.3 and below, the code that creates a new dashboard does not require authentication. Therefore, an attacker can craft a malicious URL to bypass the login screen. The vulnerable code is located in the form.send() function. An attacker can craft a malicious URL that triggers the code, causing a vulnerable installation to create a dashboard on behalf of the attacker. An attacker can also remove a dashboard that they do not have permissions to create. When an attacker has control over the creation of a dashboard, they can use the dashboard’s functionality to perform actions on behalf of other MQTT users.

MQTT Vulnerability Types

The vulnerabilities of the MQTT protocol are divided into three categories:
- Authentication and Authorization
- Content Validation
- Route Manipulation and Poisoning

- Authentication and Authorization is an attack that exploits weaknesses in the authentication process of a service. This category covers problems with session management, eavesdropping, and replay attacks.
- Content Validation is an attack that maligns content validation as well as content tampering attacks. This category also covers manipulation of routing information.
- Route Manipulation and Poisoning is an attack that poisons or manipulates routes used by the MQTT protocol. This category also covers manipulation of incoming messages to a server or tampering with outgoing messages from a server.

Mitigation

The following mitigations were introduced in versions 4.2 and 3.3 respectively:

- The code that creates a new dashboard requires authentication.
- The code that removes a dashboard has also been updated to require authentication.

Credit: The disclosure of this vulnerability was facilitated by the MQTT research community .

Mitigation Strategies

Users of MQTT installed on a vulnerable version of the application should upgrade to 3.4 or later. If the application is already running on a vulnerable version, then it should be reinstalled from scratch.

Timeline

Published on: 10/13/2022 23:15:00 UTC
Last modified on: 10/14/2022 14:49:00 UTC

References