Executive Summary

This vulnerability exists in RabbitMQ's MQTT plugin versions from 4.2.0 to before 4.2.4. The plugin uses regular expressions with variable substitution to enforce topic-level authorization, allowing administrators to restrict user access to specific topics based on client IDs.

However, the client_id used in these regex patterns is provided by the user in the MQTT CONNECT packet and is inserted into the regex without escaping special regex characters. This allows an authenticated MQTT user to inject regex operators, potentially bypassing the intended authorization restrictions.

The issue was fixed in RabbitMQ versions 4.2.4 and 4.3.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an authenticated MQTT user to bypass topic-level authorization controls by injecting special regex characters into the client_id. As a result, the user may gain unauthorized access to topics they should not have permission to access.

This unauthorized access could lead to exposure of sensitive messaging data or unauthorized message publishing, potentially compromising the confidentiality and integrity of the messaging system.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade RabbitMQ to version 4.2.4 or later, or 4.3.0 or later, where the issue has been fixed.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an authenticated MQTT user to bypass topic-level authorization and gain unauthorized access to restricted topics. Such unauthorized access to data or messaging channels could lead to exposure or manipulation of sensitive information.

In the context of compliance with standards like GDPR or HIPAA, this unauthorized access risk could result in violations related to data confidentiality, integrity, and access controls, which are critical requirements in these regulations.

Therefore, if exploited, this vulnerability could undermine compliance efforts by enabling unauthorized data access or actions, potentially leading to regulatory penalties or breaches of privacy obligations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring MQTT CONNECT packets for client_id values that contain special regex characters which could be used to inject regex operators and bypass topic-level authorization.

One approach is to capture and inspect MQTT CONNECT packets to identify client_id fields with suspicious patterns such as regex metacharacters (e.g., ., *, +, ?, ^, $, [, ], (, ), |, \).

For example, using tcpdump or tshark to filter MQTT CONNECT packets and extract client_id values:

• tcpdump -i <interface> -s 0 -w mqtt_connect.pcap 'tcp port 1883'
• tshark -r mqtt_connect.pcap -Y 'mqtt.msgtype == 1' -T fields -e mqtt.clientid

After extracting client_id values, review them for regex special characters that could be used to bypass authorization.

Additionally, review RabbitMQ MQTT plugin configuration for topic-level authorization patterns that use {client_id} variable substitution without escaping.

Useful 0 Not Useful 0