Hi, On Sun, 01 Jan 2017 12:13:30 +0100 Salvatore Bonaccorso <car...@debian.org> wrote: ...
> > Hi, > > the following vulnerability was published for rabbitmq-server. > > CVE-2016-9877[0]: > | An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x > | before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before > | 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) > | connection authentication with a username/password pair succeeds if an > | existing username is provided but the password is omitted from the > | connection request. Connections that use TLS with a client-provided > | certificate are not affected. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2016-9877 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9877 > [1] https://github.com/rabbitmq/rabbitmq-mqtt/pull/98 > [2] https://github.com/rabbitmq/rabbitmq-mqtt/issues/96 > > Please adjust the affected versions in the BTS as needed. I was only > able to check the vulnerability sourcewise for 3.6.5 in unstable, > older version have not been checked so far. I'm attaching a proposed patch for jessie which builds fine but has not been tested further. Wheezy is not affected since the vulnerable mqtt plugin is not present. Cheers, Balint
>From 157948d86d391a325ac9702f78976c175ced58be Mon Sep 17 00:00:00 2001 From: Daniil Fedotov <dfedo...@pivotal.io> Date: Mon, 5 Sep 2016 12:33:49 +0100 Subject: [PATCH] Auth issue fix 039a3c22e57bf77b325d19494a9b20cd745f1ea7 backport . Backported to Debian Jessie's 3.3.5-1.1 by Balint Reczey as part of the LTS work. --- src/rabbit_mqtt_processor.erl | 63 ++++++++++++++------------- test/Makefile | 2 +- test/src/com/rabbitmq/mqtt/test/MqttTest.java | 12 +++++ 3 files changed, 45 insertions(+), 32 deletions(-) --- a/plugins-src/rabbitmq-mqtt/src/rabbit_mqtt_processor.erl +++ b/plugins-src/rabbitmq-mqtt/src/rabbit_mqtt_processor.erl @@ -75,7 +75,13 @@ _ -> case creds(Username, Password) of nocreds -> - rabbit_log:error("MQTT login failed - no credentials~n"), + rabbit_log:error("MQTT login failed: no credentials provided~n"), + {?CONNACK_CREDENTIALS, PState}; + {invalid_creds, {undefined, Pass}} when is_list(Pass) -> + rabbit_log:error("MQTT login failed: no user username is provided"), + {?CONNACK_CREDENTIALS, PState}; + {invalid_creds, {User, undefined}} when is_list(User) -> + rabbit_log:error("MQTT login failed for ~p: no password provided", [User]), {?CONNACK_CREDENTIALS, PState}; {UserBin, PassBin} -> case process_login(UserBin, PassBin, ProtoVersion, PState) of @@ -370,20 +376,25 @@ DefaultUser = rabbit_mqtt_util:env(default_user), DefaultPass = rabbit_mqtt_util:env(default_pass), Anon = rabbit_mqtt_util:env(allow_anonymous), - U = case {User =/= undefined, is_binary(DefaultUser), Anon =:= true} of - {true, _, _ } -> list_to_binary(User); - {false, true, true} -> DefaultUser; - _ -> nocreds - end, - case U of - nocreds -> - nocreds; - _ -> - case {Pass =/= undefined, is_binary(DefaultPass), Anon =:= true} of - {true, _, _ } -> {U, list_to_binary(Pass)}; - {false, true, true} -> {U, DefaultPass}; - _ -> {U, none} - end + HaveDefaultCreds = Anon =:= true andalso + is_binary(DefaultUser) andalso + is_binary(DefaultPass), + + CredentialsProvided = User =/= undefined orelse + Pass =/= undefined, + + CorrectCredentials = is_list(User) andalso + is_list(Pass), + + case {CredentialsProvided, CorrectCredentials, HaveDefaultCreds} of + %% Username and password take priority + {true, true, _} -> {list_to_binary(User), + list_to_binary(Pass)}; + %% Either username or password is provided + {true, false, _} -> {invalid_creds, {User, Pass}}; + %% Anonymous connection uses default credentials + {false, false, true} -> {DefaultUser, DefaultPass}; + _ -> nocreds end. supported_subs_qos(?QOS_0) -> ?QOS_0; --- a/plugins-src/rabbitmq-mqtt/test/Makefile +++ b/plugins-src/rabbitmq-mqtt/test/Makefile @@ -1,4 +1,4 @@ -UPSTREAM_GIT=https://git.eclipse.org/gitroot/paho/org.eclipse.paho.mqtt.java.git +UPSTREAM_GIT=https://github.com/eclipse/paho.mqtt.java.git REVISION=00b5b2f99ae8410b7d96d106e080a092c5f92546 JC=javac --- a/plugins-src/rabbitmq-mqtt/test/src/com/rabbitmq/mqtt/test/MqttTest.java +++ b/plugins-src/rabbitmq-mqtt/test/src/com/rabbitmq/mqtt/test/MqttTest.java @@ -163,6 +163,18 @@ } } + public void testEmptyPassword() throws MqttException { + MqttClient c = new MqttClient(brokerUrl, clientId, null); + MqttConnectOptions opts = new MyConnOpts(); + opts.setUserName("guest"); + opts.setPassword(null); + try { + c.connect(opts); + fail("Authentication failure expected"); + } catch (MqttException ex) { + Assert.assertEquals(MqttException.REASON_CODE_FAILED_AUTHENTICATION, ex.getReasonCode()); + } + } public void testSubscribeQos0() throws MqttException, InterruptedException { client.connect(conOpt);