Debian update for mosquitto

Published: 2019-02-11
Severity Medium
Patch available YES
Number of vulnerabilities 3
CVE ID CVE-2018-12546
CVE-2018-12550
CVE-2018-12551
CWE ID CWE-264
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software mosquitto (Debian package) Subscribe
Vendor Debian

Security Advisory

1) Permissions, Privileges, and Access Controls

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-12546

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description

The vulnerability allows a remote authenticated user to gain access to potentially sensitive information.

The vulnerability exists due to an error when messages were still delivered to clients after their access to topic was revoked. A remote authenticated user was able to obtain potentially sensitive information.

Mitigation

Update the affected package to version: 1.4.10-3+deb9u3.

Vulnerable software versions

mosquitto (Debian package): 1.4.3-1, 1.4.4-1, 1.4.7-1, 1.4.8-1, 1.4.10-1, 1.4.10-2, 1.4.10-3, 1.4.10-3+deb9u1, 1.4.10-3+deb9u2

CPE External links

https://www.debian.org/security/2019/dsa-4388

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Permissions, Privileges, and Access Controls

Severity: Medium

CVSSv3: 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-12550

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insecure default permissions to topics and messages, if the ACL file is blank. A remote attacker can gain unauthorized access to sensitive information.


Mitigation

Update the affected package to version: 1.4.10-3+deb9u3.

Vulnerable software versions

mosquitto (Debian package): 1.4.3-1, 1.4.4-1, 1.4.7-1, 1.4.8-1, 1.4.10-1, 1.4.10-2, 1.4.10-3, 1.4.10-3+deb9u1, 1.4.10-3+deb9u2

CPE External links

https://www.debian.org/security/2019/dsa-4388

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

Severity: Low

CVSSv3: 4.9 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-12551

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote attacker to bypass password authentication.

The vulnerability exists due to insufficient validation of malformed input in a password file, when it is used for authentication. Incorrect data in password file will be treated by the application as a username with empty password, allowing attacker to gain unauthorized access to the application.

Mitigation

Update the affected package to version: 1.4.10-3+deb9u3.

Vulnerable software versions

mosquitto (Debian package): 1.4.3-1, 1.4.4-1, 1.4.7-1, 1.4.8-1, 1.4.10-1, 1.4.10-2, 1.4.10-3, 1.4.10-3+deb9u1, 1.4.10-3+deb9u2

CPE External links

https://www.debian.org/security/2019/dsa-4388

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.