CVE-2024-42655
📋 TL;DR
An access control vulnerability in NanoMQ v0.21.10 allows attackers to bypass security restrictions and access sensitive system topic messages using MQTT wildcard characters. This affects systems running vulnerable NanoMQ versions where MQTT topics are used for sensitive data or control messages. Attackers can potentially read messages intended only for authorized users or system components.
💻 Affected Systems
- NanoMQ
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to sensitive system topics, potentially exposing confidential data, configuration details, or control messages that could lead to further system compromise.
Likely Case
Unauthorized reading of system topic messages containing operational data, configuration information, or other sensitive content not intended for public access.
If Mitigated
Limited impact if proper network segmentation, authentication, and authorization controls are in place to restrict access to MQTT brokers.
🎯 Exploit Status
Exploitation requires MQTT client access but uses standard MQTT wildcard functionality to bypass intended access controls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.21.11 or later
Vendor Advisory: https://github.com/nanomq/nanomq/issues/1782#issuecomment-2171025812
Restart Required: Yes
Instructions:
1. Download NanoMQ v0.21.11 or later from official repository. 2. Stop the current NanoMQ service. 3. Replace the binary with the patched version. 4. Restart the NanoMQ service.
🔧 Temporary Workarounds
Restrict MQTT Topic Access
allImplement strict access control lists (ACLs) to limit which clients can subscribe to system topics, particularly those using wildcards.
# Configure ACL in nanomq.conf to restrict wildcard subscriptions
acl.rule.1 = deny %u #/%23
acl.rule.2 = deny %u $SYS/#
Disable Wildcard Subscriptions
allConfigure NanoMQ to reject MQTT subscriptions containing wildcard characters for sensitive topics.
# In nanomq.conf, add:
mqtt.wildcard_subscription = false
🧯 If You Can't Patch
- Implement network-level restrictions to limit MQTT broker access to trusted clients only.
- Deploy additional authentication and authorization layers before the MQTT broker to validate topic access requests.
🔍 How to Verify
Check if Vulnerable:
Check if running NanoMQ v0.21.10 by examining version output or configuration files.Check Version:
nanomq --versionVerify Fix Applied:
Verify NanoMQ version is v0.21.11 or later and test that wildcard subscriptions to restricted system topics are properly denied.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts for system topics
- Unexpected wildcard subscription patterns to $SYS/# or similar protected topics
Network Indicators:
- MQTT SUBSCRIBE packets with wildcard characters targeting system topics from unauthorized sources
SIEM Query:
source="nanomq" AND (topic="$SYS/%" OR topic="%u") AND action="subscribe" AND result="success"