A high-severity zero-day vulnerability in the Internet-of-Things (IoT) open-source platform NanoMQ has put more than 100 million devices at risk of attack.
NanoMQ by EMQ is a real-time IoT monitoring platform that is used to delivers alerts when abnormal activity is detected in IoT devices. The platform is used in many settings, including industrial systems, manufacturing, healthcare, automobiles, and many more. The vulnerability, which has not been assigned a CVE, was given a CVSS severity score of 7.1 out of 10.
Researchers at Guardara discovered multiple issues with EMQ NanoMQ that caused the product to crash. The researchers explained that any IoT device that uses EMQ NanoMQ could be attacked and brought down completely. While device crashes may not cause major problems in some settings, the implications could be serious. For instance, the platform is used in conjunction with medical devices for monitoring unusual activity when patients leave hospital and for detecting fires.
This issue is due to a flaw in EMQ’s implementation of MQTT, the messaging protocol standard for IoT. MQTT is a lightweight publish/subscribe messaging transport that is used for connecting remote devices. It has a small code footprint and requires minimal network bandwidth and has been used in many settings that require low-bandwidth smart sensors.
The issue with EMQ’s NanoMQ is the MGTT packet length, as the researchers explained, “when the MQTT packet length is tampered with and is lower than expected, a ‘memcpy’ operation receives a size value that makes the source buffer location point to or into an unallocated memory area.” This causes NanoMQ to crash. “Suspected that the unusual packet length ‘msg_len’ is a smaller value than ‘used_pos,’ therefore the subtraction results in a negative number. However, ‘memcpy’ expects the size as ‘size_t,’ which is unsigned. Therefore, due to the casting of a negative number to ‘size_t’, the length becomes a very large positive number (0xfffffffc in case of this proof of concept),” said researcher Zsolt Imre.
Guardara CEO Mitali Rakhit said it is easy to trigger a crash. All that is required to conduct a denial-of-service attack exploiting the vulnerability is some basic networking and scripting skills.
EMQ has issued fixes that correct the software vulnerability. Firmware upgrades will be required to fix the flaw on all IoT devices that use NanoMQ. Users should check with their device vendors about performing a firmware upgrade to fix the vulnerability.