Package: mosquitto
Version: 2.0.11-1
Severity: serious
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
If you configure a websocket listener for mosquitto with an IP address
to bind to, mosquitto will instead bind the wildcard address. This
renders a secure configuration insecure.
A simple configuration producing this behaviour is a default
installation together with one config update:
$ cat /etc/mosquitto/conf.d/listen.conf
bind_address localhost
listener 9001 127.0.0.1
protocol websockets
$
If you (re)start mosquitto, you can see the insecure bind:
$ ss -tlp
...
LISTEN 0 4096 *:9001 *:*
users:(("mosquitto",pid=269,fd=7))
...
$
The mosquitto.conf manual page in section 5 says that for websockets,
you can only give an IP address as bind address, which kinda implies
that you can given an IP address there. I think it is a reasonable
expectation that binding to 127.0.0.1 should be secure.
I am filing this as severity serious, because normally a security
vulnerability would be grave, but this vulnerability only surfaces in a
(possibly common) non-default configuration. Hence lowering to serious.
I note (mostly for myself) that the following invocation reproduces the
problem:
debvm-create -- --include iproute2,mosquitto --customize-hook='printf
"bind_address localhost\\nlistener 9001 127.0.0.1\\nprotocol websockets\\n" >
"$1/etc/mosquitto/conf.d/listen.conf"'
Helmut
