CVE-2023-33659 – A heap buffer overflow vulnerability in NanoMQ ... (How to Fix)

Q: What is the severity of CVE-2023-33659?

CVE-2023-33659 has a CVSS score of 7.5 (HIGH). A heap buffer overflow vulnerability in NanoMQ 0.17.2 allows attackers to trigger denial of service by exploiting the nmq_subinfo_decode() function. This affects systems running vulnerable versions of NanoMQ, potentially disrupting MQTT messaging services.

📋 TL;DR

A heap buffer overflow vulnerability in NanoMQ 0.17.2 allows attackers to trigger denial of service by exploiting the nmq_subinfo_decode() function. This affects systems running vulnerable versions of NanoMQ, potentially disrupting MQTT messaging services.

💻 Affected Systems

Products:

NanoMQ

Versions: 0.17.2 specifically (check for other affected versions)

Operating Systems: All platforms running NanoMQ

Default Config Vulnerable: ⚠️ Yes

Notes: Any NanoMQ deployment using MQTT subscription functionality is vulnerable

📦 What is this software?

Nanomq by Emqx

View all CVEs affecting Nanomq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, though CVSS suggests DoS is primary risk

🟠

Likely Case

Denial of service causing NanoMQ service crashes and disruption of MQTT messaging

🟢

If Mitigated

Service disruption limited to NanoMQ instance without affecting underlying OS

🌐 Internet-Facing: HIGH - MQTT brokers often exposed to external clients

🏢 Internal Only: MEDIUM - Internal MQTT infrastructure could still be targeted

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted MQTT packets to trigger the buffer overflow

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub commits for fixes after 0.17.2

Vendor Advisory: https://github.com/emqx/nanomq/issues/1154

Restart Required: Yes

Instructions:

1. Update NanoMQ to latest patched version 2. Restart NanoMQ service 3. Verify fix with version check

🔧 Temporary Workarounds

Network segmentation

linux

Restrict access to NanoMQ MQTT port (default 1883) to trusted clients only

iptables -A INPUT -p tcp --dport 1883 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 1883 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit who can connect to NanoMQ
Deploy intrusion detection systems to monitor for abnormal MQTT traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check NanoMQ version: nanomq --version or examine installed package

Check Version:

nanomq --version

Verify Fix Applied:

Confirm version is newer than 0.17.2 and test with normal MQTT operations

📡 Detection & Monitoring

Log Indicators:

NanoMQ crash logs
Segmentation fault errors
Abnormal termination

Network Indicators:

Unusual MQTT subscription packets
Multiple connection attempts with malformed data

SIEM Query:

source="nanomq.log" AND ("segmentation fault" OR "crash" OR "buffer overflow")

📊 Metadata

CVE ID: CVE-2023-33659

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: June 6, 2023

Last Updated: January 8, 2025

🔗 References

https://github.com/emqx/nanomq Product
https://github.com/emqx/nanomq/issues/1154 Exploit,Issue Tracking,Third Party Advisory
https://github.com/nanomq/NanoNNG/pull/509/commits/6815c4036a2344865da393803ecdb7af27d8bde1 Patch
https://github.com/emqx/nanomq Product
https://github.com/emqx/nanomq/issues/1154 Exploit,Issue Tracking,Third Party Advisory
https://github.com/nanomq/NanoNNG/pull/509/commits/6815c4036a2344865da393803ecdb7af27d8bde1 Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33659, you might also want to check these: