Detections
Analytics

Debian DSA-5511-1 : mosquitto - security update

critical Nessus Plugin ID 182418

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5511 advisory.

 Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack. CVE-2021-34434 In Eclipse Mosquitto when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked. CVE-2023-0809 Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets.
 CVE-2023-3592 Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types. CVE-2023-28366 The broker in Eclipse Mosquitto has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function. Additionally CVE-2021-41039 has been fixed for Debian 11 Bullseye. CVE-2021-41039 An MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service. For the oldstable distribution (bullseye), these problems have been fixed in version 2.0.11-1+deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 2.0.11-1.2+deb12u1. We recommend that you upgrade your mosquitto packages. For the detailed security status of mosquitto please refer to its security tracker page at: https://security- tracker.debian.org/tracker/mosquitto

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the mosquitto packages.

For the stable distribution (bookworm), these problems have been fixed in version 2.0.11-1.2+deb12u1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993400

https://security-tracker.debian.org/tracker/source-package/mosquitto

https://www.debian.org/security/2023/dsa-5511

https://security-tracker.debian.org/tracker/CVE-2021-34434

https://security-tracker.debian.org/tracker/CVE-2021-41039

https://security-tracker.debian.org/tracker/CVE-2023-0809

https://security-tracker.debian.org/tracker/CVE-2023-28366

https://security-tracker.debian.org/tracker/CVE-2023-3592

https://packages.debian.org/source/bullseye/mosquitto

https://packages.debian.org/source/bookworm/mosquitto

Plugin Details

Severity: Critical

ID: 182418

File Name: debian_DSA-5511.nasl

Version: 1.1

Type: local

Agent: unix

Published: 10/2/2023

Updated: 1/24/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-34434

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 8.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2023-3592

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:libmosquittopp1, p-cpe:/a:debian:debian_linux:mosquitto-clients, p-cpe:/a:debian:debian_linux:mosquitto-dev, p-cpe:/a:debian:debian_linux:libmosquittopp-dev, p-cpe:/a:debian:debian_linux:libmosquitto1, p-cpe:/a:debian:debian_linux:mosquitto, cpe:/o:debian:debian_linux:12.0, p-cpe:/a:debian:debian_linux:libmosquitto-dev

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/1/2023

Vulnerability Publication Date: 8/30/2021

Reference Information

CVE: CVE-2021-34434, CVE-2021-41039, CVE-2023-0809, CVE-2023-28366, CVE-2023-3592