Rule Category

SERVER-OTHER -- Snort has detected traffic exploiting vulnerabilities in a server in the network.

Alert Message

SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt

Rule Explanation

This event is generated when an attacker attempts to exploit a buffer overflow vulnerability in Eclipse Mosquitto. Impact: Attempted User Privilege Gain Details: This rule checks for attempts to exploit a buffer overflow vulnerability in Eclipse Mosquitto's handling of MQTT SUBSCRIBE packets. Ease of Attack:

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Rule Vulnerability

CVE Additional Information

CVE-2019-11779
In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.
Details
SeverityMEDIUM Base Score4.0
Impact Score2.9 Exploit Score8.0
Confidentiality ImpactNONE Integrity ImpactNONE
Availability ImpactPARTIAL Access VectorNETWORK
AuthenticationSINGLE Ease of AccessLOW