Open source project Mosquitto underwent a security audit with OSTIF and Trail of Bits in collaboration with the Eclipse Foundation. The project, which is a message broker for the MQTT protocol, is designed to connect the Internet of Things. Projects that are open to the internet have increased landscape exposure to threat actors, and therefore the need for security of data validation, data and error handling, and storage is increased. The project goals outlined in the audit report detail a starting point for this engagement that focused on a number of security concerns like the above for the repository.
The audit engineers had three person-weeks to review and identify issues that endangered Mosquitto’s integrity, as well as perform a Codebase Maturity Evaluation and generate recommendations for the project. After creating a threat model with related documentation, and using fuzzing and CodeQL to perform static analysis to aid review, the report identifies sixteen findings. Four of the findings were severe enough to be considered notable. Of the four significant findings, two (TOB-MOSQ-CR-1 and TOB-MOSQ-CR-3) related to password security. As hacks through passwords can lead to escalation of privileges, these findings are salient to the security of the project. Finding TOB-MOSQ-CR-5 is described as a heap buffer over-read relating to storage capabilities and TOB-MOSQ-CR-14 details a logic issue for WebSocket protocol support. Including those four findings, nine out of the sixteen reported issues were considered high severity by Trail of Bits. The five other high vulnerabilities were categorized as relating to cryptography, data exposure and validation, and timing. All reported issues have been fixed or addressed by Mosquitto.
Mosquitto is used in a variety of industries and is designed to be widely used across platforms. As such, its verification, logic, and trust processes are pivotal to its security health and practices like security audits are a great system of locating and reviewing code for such vulnerabilities. As Mosquitto evolves and updates with new releases, its wide community will surely help support the project and its maintainers sustain healthy practices. Audits like this one can help not only identify and resolve outstanding vulnerabilities but also point the project towards methods and steps to further harden security and improve overall code health. This audit in particular was fruitful in its numerous high vulnerability findings. While quantitative audit results are helpful in improving project security, the findings are quality in how they help the project and the audit team identify processes and code that can be improved for Mosquitto’s security.
Thank you to Roger Light, the Mosquitto maintainer, who worked with Trail of Bits and the Eclipse Foundation on this project for their input, time, and labor related to this audit. Thank you to Shaun Mirani, Kelly Kaoudis, and Spencer Michaels from Trail of Bits for their work auditing and reviewing Mosquitto, as well as the rest of the team at ToB who contributed to this audit and its success. Finally, we offer thanks to the Eclipse Foundation, whose funding and support of open source security made this audit possible.
Read the code review report HERE and the threat model report HERE
Read the Eclipse Foundation’s blog HERE