severity 1032029 normal thanks Hi,
I looked into this as it's the underlying reason for why a bunch of
packages are "flagged for removal" because of "buggy deps
mosquitto".
* Helmut Grohne [Sun Feb 26, 2023 at 08:37:13PM +0100]:
> If you configure a websocket listener for mosquitto with an IP address
> to bind to, mosquitto will instead bind the wildcard address. This
> renders a secure configuration insecure.
>
> A simple configuration producing this behaviour is a default
> installation together with one config update:
>
> $ cat /etc/mosquitto/conf.d/listen.conf
> bind_address localhost
> listener 9001 127.0.0.1
> protocol websockets
> $
>
> If you (re)start mosquitto, you can see the insecure bind:
>
> $ ss -tlp
> ...
> LISTEN 0 4096 *:9001 *:*
> users:(("mosquitto",pid=269,fd=7))
> ...
> $
>
> The mosquitto.conf manual page in section 5 says that for websockets,
> you can only give an IP address as bind address, which kinda implies
> that you can given an IP address there. I think it is a reasonable
> expectation that binding to 127.0.0.1 should be secure.
With your configuration applied I see the following line in the logs:
| mosquitto[1750]: 1678096815: The 'bind_address' option is now deprecated and
will be removed in a future version. The behaviour will default to true.
Quoting from mosquitto.conf(5) (also see
https://mosquitto.org/man/mosquitto-conf-5.html):
| bind_address address
|
| This option is deprecated and will be removed in a future
| version. Use the listener instead.
|
| Listen for incoming network connections on the specified IP
| address/hostname only. This is useful to restrict access to
| certain network interfaces. To restrict access to mosquitto
| to the local host only, use "bind_address localhost". This
| only applies to the default listener. Use the listener option
| to control other listeners.
|
| It is recommended to use an explicit listener rather than
| rely on the implicit default listener options like this.
And indeed, with a configuration like follows:
| # cat /etc/mosquitto/conf.d/listen.conf
| listener 1883 127.0.0.1
| socket_domain ipv4
| protocol mqtt
|
| listener 9001 127.0.0.1
| socket_domain ipv4
| protocol websockets
... it behaves as documented/expected:
| # ss -tlpn | grep mosquitto
| LISTEN 0 4096 127.0.0.1:9001 0.0.0.0:*
users:(("mosquitto",pid=1994,fd=8))
| LISTEN 0 100 127.0.0.1:1883 0.0.0.0:*
users:(("mosquitto",pid=1994,fd=5))
Using *only* `bind_address localhost` inside
/etc/mosquitto/conf.d/listen.conf also makes the default listener to
be active on localhost only, as expected and documented:
| # ss -tlpn | grep mosquitto
| LISTEN 0 100 127.0.0.1:1883 0.0.0.0:*
users:(("mosquitto",pid=2027,fd=5))
> I am filing this as severity serious, because normally a security
> vulnerability would be grave, but this vulnerability only surfaces in a
> (possibly common) non-default configuration. Hence lowering to serious.
IMO this isn't even a bug, so for now I downgraded the severity,
though if you agree I'd tend to close this bug report. (But I'm
neither the bug reporter nor the package maintainer, so leaving that
to either one of you :))
regards
-mika-
signature.asc
Description: PGP signature
