CVE-2023-29996 – A null pointer dereference vulnerability in Nan... (How to Fix)

Q: What is the severity of CVE-2023-29996?

CVE-2023-29996 has a CVSS score of 7.5 (HIGH). A null pointer dereference vulnerability in NanoMQ v0.15.0-0 causes segmentation faults when processing malformed MQTT subscription/unsubscription packets. This allows remote attackers to crash the NanoMQ broker service, causing denial of service. Anyone running vulnerable NanoMQ versions with MQTT protocol enabled is affected.

📋 TL;DR

A null pointer dereference vulnerability in NanoMQ v0.15.0-0 causes segmentation faults when processing malformed MQTT subscription/unsubscription packets. This allows remote attackers to crash the NanoMQ broker service, causing denial of service. Anyone running vulnerable NanoMQ versions with MQTT protocol enabled is affected.

💻 Affected Systems

Products:

NanoMQ

Versions: v0.15.0-0

Operating Systems: All platforms running NanoMQ

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with MQTT protocol enabled (default configuration).

📦 What is this software?

Nanomq by Emqx

View all CVEs affecting Nanomq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of NanoMQ broker, disrupting all MQTT communications and potentially affecting dependent IoT/edge systems.

🟠

Likely Case

Service crash requiring manual restart, causing temporary MQTT communication disruption.

🟢

If Mitigated

Minimal impact if proper network segmentation and monitoring are in place to detect and restart crashed services.

🌐 Internet-Facing: HIGH - MQTT brokers often face the internet, and unauthenticated exploitation is possible.

🏢 Internal Only: MEDIUM - Internal attackers or compromised devices could still exploit this to disrupt MQTT communications.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted MQTT packets to trigger the null pointer dereference.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.15.1 and later

Vendor Advisory: https://github.com/emqx/nanomq/issues/1038

Restart Required: Yes

Instructions:

1. Download latest NanoMQ version from official repository. 2. Stop current NanoMQ service. 3. Replace binary with patched version. 4. Restart NanoMQ service.

🔧 Temporary Workarounds

Network filtering

all

Block or filter malformed MQTT packets at network perimeter

Service monitoring and auto-restart

linux

Implement monitoring to detect crashes and automatically restart service

systemctl enable nanomq
systemctl start nanomq

🧯 If You Can't Patch

Implement network segmentation to isolate NanoMQ from untrusted networks
Deploy intrusion detection systems to monitor for malformed MQTT packets

🔍 How to Verify

Check if Vulnerable:

Check NanoMQ version: nanomq --version

Check Version:

nanomq --version

Verify Fix Applied:

Verify version is v0.15.1 or later and test with MQTT client sending various subscription packets

📡 Detection & Monitoring

Log Indicators:

Segmentation fault errors
Unexpected service termination
Core dump files

Network Indicators:

Malformed MQTT packets with subscription/unsubscription topics
Sudden drop in MQTT connections

SIEM Query:

source="nanomq.log" AND ("segmentation fault" OR "core dumped" OR "null pointer")

📊 Metadata

CVE ID: CVE-2023-29996

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: May 4, 2023

Last Updated: January 29, 2025

🔗 References

https://github.com/emqx/nanomq/issues/1038 Exploit,Third Party Advisory
https://github.com/emqx/nanomq/issues/1038 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29996, you might also want to check these: