Denial of Service in Xiaozhi-ESP32 MQTT Protocol

Executive Summary

This vulnerability exists in the MQTT protocol implementation of the xiaozhi-esp32 firmware, specifically in the handling of MQTT goodbye messages. The function Application::GetInstance in the MQTT Goodbye Handler does not properly validate the session_id argument. An attacker can send a crafted goodbye message with an invalid or missing session_id, which causes the device to prematurely terminate active audio sessions. This leads to a denial of service condition. The vulnerability arises because the firmware processes goodbye messages without enforcing proper session ID validation or topic/source binding checks.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows a remote attacker to cause a denial of service by terminating active audio sessions on affected devices. This can disrupt normal operation by closing active UDP audio channels unexpectedly. The attack can be performed remotely by sending specially crafted MQTT goodbye messages without needing to know the current session ID. This can impact deployments where MQTT brokers have broad subscriptions, shared or leaked credentials, or misconfigurations, potentially leading to service interruptions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring MQTT traffic for goodbye messages that lack proper session_id validation or are sent on unrelated topics. Specifically, look for MQTT goodbye payloads such as {"type": "goodbye"} that cause denial of service by terminating active audio sessions without valid session IDs.

Detection can involve inspecting MQTT messages for goodbye payloads missing a valid session_id string or sent from unexpected topics or sources.

Suggested commands to detect suspicious MQTT goodbye messages might include using MQTT client tools or network packet capture utilities to filter and analyze MQTT payloads, for example:

• Using tcpdump or Wireshark to capture MQTT traffic on port 1883 and filter for payloads containing "goodbye" messages.
• Example tcpdump command: tcpdump -i <interface> -A -s 0 'tcp port 1883 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i goodbye
• Using MQTT client tools (e.g., mosquitto_sub) to subscribe to relevant topics and inspect goodbye messages for missing or invalid session_id fields.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to apply the patch identified by commit e182471f8c5a22434346bd98da34d3b66c8c8b3e, which improves validation of the session_id in MQTT goodbye messages to prevent denial of service.

Additional immediate mitigations include:

• Enforce strict MQTT broker Access Control Lists (ACLs) to limit which clients can publish goodbye messages.
• Restrict MQTT subscriptions to exact topics rather than broad wildcard subscriptions to reduce exposure.
• Secure MQTT broker credentials and avoid sharing publisher credentials to prevent unauthorized message injection.
• Limit exposure of MQTT brokers to untrusted networks or the public internet.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0