Denial-of-Service Vulnerability in MQTT Library of Arm Mbed OS
CVE-2019-17210

7.5HIGH

Key Information:

Vendor: Arm
Status: Mbed-MQtt; Mbed-os
Vendor: CVE Published:; 4 November 2019

Summary

A denial-of-service issue was identified in the MQTT library of Arm Mbed OS version 2017-11-02. The vulnerability arises when the function readMQTTLenString() is utilized to obtain the length and content of the MQTT topic name, where user input can be manipulated to yield larger values than intended. This manipulation leads to unpredictable behavior in the program as the mqttstring->lenstring.data defaults to zero after bypassing crucial validations. Such an incident can result in accessing a memory address that could compromise the functioning of applications relying on the library, particularly on Arm Cortex-M chips.

References

https://github.com/ARMmbed/mbed-os/issues/11802

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 4, 2019
Vulnerability Reserved
Oct 6, 2019