CyRC Identifies Three Major DoS Flaws in Popular Open Source Message Brokers


Synopsys Cybersecurity Research Centre (CyRC) has warned organizations of easily triggered denial-of-service (DoS) vulnerabilities in three widely used open-source message brokers: RabbitMQ, EMQ X, and VerneMQ. 

A message broker is a software that enables applications, systems, and services to communicate with each other and exchange information by translating messages between formal messaging protocols. It is responsible for managing IoT devices like smart home hubs and door locks via common protocol: Message Queuing Telemetry Transport (MQTT). 

MQTT, first released in 1999 is responsible for managing oil pipelines and a variety of home and industrial automation tasks. Any disruption in MQTT messaging could potentially leave users locked out of their homes and offices.

“Message brokers can be the nerve center of a complex system. If the message broker isn't working, then the various components of the system cannot communicate. Whatever services are provided by that system are unavailable until the message broker is restored,” Jonathan Knudsen, the researcher who identified the vulnerabilities, told SecurityWeek. 

Jonathan Knudsen identified that specially crafted MQTT messages can cause excessive memory consumption in RabbitMQ (owned by VMware), EMQ X, and VerneMQ, leading to the operating system terminating the application.

“These vulnerabilities can be exploited by any system that has access to the message broker. The broker can be configured to require authentication or refuse connections from unrecognized endpoints which would limit external attacks. But for an attacker with access to one of the vulnerable message brokers, the vulnerabilities can be exploited simply by delivering a badly formed network packet, which can be done with a very simple script,” Knudsen explained.

According to EMQ, its message broker has been installed more than 2 million times and it has over 5,000 users globally. RabbitMQ claims to have tens of thousands of users, including small startups and large enterprises. VerneMQ is used by companies such as Microsoft, Volkswagen, Siemens, and Swisscom.

Knudsen and CyRC privately disclosed the flaws to the project maintainers back in March, and all three have now been patched. RabbitMQ users are advised to upgrade to version 3.8.16 or above; EMQ X users to version 4.2.8 or above, and VerneMQ users to version 1.12.0 or above.