Skip to content

Latest commit

 

History

History
242 lines (182 loc) · 16.3 KB

mitigations.md

File metadata and controls

242 lines (182 loc) · 16.3 KB

Mitigation Strategies Analysis for eclipse-mosquitto/mosquitto

Mitigation Strategy: Enforce Strong Authentication

  • Mitigation Strategy: Enforce Strong Authentication

    • Description:

      1. Disable Anonymous Access: Modify the mosquitto.conf file. Locate the allow_anonymous setting. If it's missing or set to true, change it to allow_anonymous false. Restart the Mosquitto service.
      2. Choose an Authentication Method:
        • Username/Password:
          • Create a password file using the mosquitto_passwd utility: mosquitto_passwd -c /path/to/passwordfile username. Repeat for each user, omitting the -c flag after the first user.
          • In mosquitto.conf, add password_file /path/to/passwordfile.
        • Client Certificates (TLS):
          • Generate a Certificate Authority (CA) key and certificate: openssl req -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650 -nodes.
          • Generate a server key and certificate signing request (CSR): openssl req -newkey rsa:4096 -keyout mosquitto.key -out mosquitto.csr -nodes.
          • Sign the server CSR with the CA: openssl x509 -req -in mosquitto.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mosquitto.crt -days 365.
          • Generate client keys and CSRs (repeat for each client): openssl req -newkey rsa:4096 -keyout client.key -out client.csr -nodes.
          • Sign the client CSRs with the CA: openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365.
          • In mosquitto.conf, add: 
            cafile /path/to/ca.crt
certfile /path/to/mosquitto.crt
keyfile /path/to/mosquitto.key
require_certificate true
tls_version tlsv1.3 # Or tlsv1.2
          • Clients must be configured to use their respective certificates and the CA certificate.
        • Authentication Plugin:
          • Choose and install a suitable plugin (e.g., mosquitto-auth-plug).
          • Configure the plugin according to its documentation, connecting it to your authentication source (database, LDAP, etc.).
          • In mosquitto.conf, specify the plugin and its configuration file.
      3. Restart Mosquitto: After making changes to mosquitto.conf, restart the Mosquitto service to apply the changes.

    • Threats Mitigated:

      • Unauthorized Access (Severity: Critical): Prevents unauthenticated users from connecting, publishing, or subscribing.
      • Brute-Force Attacks (Severity: High): Strong passwords or client certificates make brute-force attacks significantly harder.
      • Credential Stuffing (Severity: High): Unique passwords per client mitigate the impact of credential stuffing attacks.
      • Man-in-the-Middle (MitM) Attacks (Severity: Critical): Client certificates, when used with TLS, provide strong authentication and prevent MitM attacks.

    • Impact:

      • Unauthorized Access: Risk reduced to near zero.
      • Brute-Force Attacks: Risk significantly reduced, dependent on password strength or certificate security.
      • Credential Stuffing: Risk significantly reduced if unique passwords are used.
      • Man-in-the-Middle (MitM) Attacks: Risk reduced to near zero when using client certificates and TLS with proper certificate validation.

    • Currently Implemented: Partially. Username/password authentication is implemented using mosquitto_passwd and password_file in /etc/mosquitto/mosquitto.conf.

    • Missing Implementation: Client certificate authentication is not implemented. The system relies solely on username/password authentication, which is less secure. An authentication plugin is also not currently used.

Mitigation Strategy: Implement Fine-Grained Authorization (ACLs)

  • Mitigation Strategy: Implement Fine-Grained Authorization (ACLs)

    • Description:

      1. Create an ACL File: Create a text file (e.g., aclfile.txt).
      2. Define ACL Rules: Add rules to the file, following this format: 
        user <username>
topic read <topic_pattern>
topic write <topic_pattern>
topic readwrite <topic_pattern>
pattern <topic_pattern_with_wildcards>
        • Example: 
          user sensor1
topic read sensors/sensor1/#

user control_panel
topic readwrite sensors/#
      3. Configure Mosquitto: In mosquitto.conf, add acl_file /path/to/aclfile.txt.
      4. Restart Mosquitto: Restart the service to apply the changes.

    • Threats Mitigated:

      • Unauthorized Access to Topics (Severity: High): Prevents clients from accessing topics they are not explicitly authorized to use.
      • Data Leakage (Severity: High): Limits the potential for sensitive data to be exposed to unauthorized clients.
      • Malicious Message Injection (Severity: High): Restricts which clients can publish to specific topics, preventing unauthorized message injection.

    • Impact:

      • Unauthorized Access to Topics: Risk significantly reduced, dependent on the granularity of the ACL rules.
      • Data Leakage: Risk significantly reduced, as clients can only access authorized data.
      • Malicious Message Injection: Risk significantly reduced, as only authorized clients can publish to specific topics.

    • Currently Implemented: No. There is no acl_file configured in mosquitto.conf.

    • Missing Implementation: The entire ACL system is missing. All authenticated users currently have unrestricted access to all topics.

Mitigation Strategy: Connection Limits

  • Mitigation Strategy: Connection Limits

    • Description:

      1. Edit mosquitto.conf: Open the configuration file.
      2. Set max_connections: Add or modify the max_connections setting. Choose a value based on your server's capacity and expected client load. For example: max_connections 1000.
      3. (Optional) Per-Listener Settings: If you have multiple listeners, use per_listener_settings true and configure max_connections within each listener block.
      4. Restart Mosquitto: Restart the service.

    • Threats Mitigated:

      • Denial of Service (DoS) (Severity: High): Limits the number of simultaneous connections, preventing attackers from overwhelming the broker with connection requests.
      • Resource Exhaustion (Severity: High): Reduces the risk of the broker running out of resources (file descriptors, memory) due to excessive connections.

    • Impact:

      • Denial of Service (DoS): Risk significantly reduced, as the broker will reject connections beyond the configured limit.
      • Resource Exhaustion: Risk significantly reduced, as the number of connections is capped.

    • Currently Implemented: No. max_connections is not set in mosquitto.conf.

    • Missing Implementation: The max_connections limit is not enforced. The broker is vulnerable to connection-based DoS attacks.

Mitigation Strategy: Always Use TLS/SSL

  • Mitigation Strategy: Always Use TLS/SSL

    • Description:

      1. Obtain a TLS Certificate: Get a certificate from a trusted CA (e.g., Let's Encrypt) or create a self-signed certificate (for testing only).
      2. Configure mosquitto.conf:
        • Add or modify the following settings: 
          listener 8883
cafile /path/to/ca.crt
certfile /path/to/mosquitto.crt
keyfile /path/to/mosquitto.key
tls_version tlsv1.3 # Or tlsv1.2
        • Replace the paths with the actual paths to your certificates and key.
      3. Configure Clients: Ensure all clients are configured to connect using TLS, providing the CA certificate and, if required, client certificates.
      4. Restart Mosquitto: Restart the service.

    • Threats Mitigated:

      • Man-in-the-Middle (MitM) Attacks (Severity: Critical): TLS encrypts the communication, preventing attackers from intercepting or modifying messages.
      • Eavesdropping (Severity: High): Encryption prevents attackers from reading the contents of MQTT messages.
      • Data Tampering (Severity: High): TLS provides integrity checks, ensuring that messages have not been altered in transit.

    • Impact:

      • Man-in-the-Middle (MitM) Attacks: Risk reduced to near zero with proper certificate validation.
      • Eavesdropping: Risk reduced to near zero.
      • Data Tampering: Risk reduced to near zero.

    • Currently Implemented: Partially. The mosquitto.conf file includes cafile, certfile, and keyfile settings, and a listener is configured for port 8883 (TLS). However, tls_version is not explicitly set, and tls_insecure is likely not set to false.

    • Missing Implementation: While TLS is configured, it's crucial to verify that all clients are actually connecting using TLS and that certificate validation is working correctly. tls_insecure false should be set to enforce certificate validation. The tls_version should be explicitly set to tlsv1.3 or tlsv1.2.

Mitigation Strategy: Secure Bridge Configuration

  • Mitigation Strategy: Secure Bridge Configuration

    • Description:

      1. Enable TLS: Use connection <bridge_name> and address <remote_broker_address>:8883 in mosquitto.conf. Configure cafile, certfile, and keyfile for the bridge connection, just like for client connections.
      2. Use Authentication: Set remote_username and remote_password (or use client certificates) for the bridge connection.
      3. Define Topic Mappings: Use topic <pattern> <direction> <local_prefix> <remote_prefix> to control which topics are bridged. Avoid using # alone. Example: topic sensors/# out local/ remote/.
      4. Restart Mosquitto: Restart the service.

    • Threats Mitigated:

      • Unauthorized Access to Bridged Brokers (Severity: High): TLS and authentication prevent unauthorized connections to the remote broker.
      • Data Leakage Across Brokers (Severity: High): Topic mappings control which data is shared between brokers.
      • Message Loops (Severity: Medium): Careful topic mapping with prefixes prevents messages from being endlessly forwarded between brokers.

    • Impact:

      • Unauthorized Access to Bridged Brokers: Risk significantly reduced with TLS and authentication.
      • Data Leakage Across Brokers: Risk significantly reduced with well-defined topic mappings.
      • Message Loops: Risk minimized with proper prefixing.

    • Currently Implemented: Not Applicable. The current system does not use bridging.

    • Missing Implementation: Not Applicable, as bridging is not used.

Mitigation Strategy: Retained Messages Management

  • Mitigation Strategy: Retained Messages Management

    • Description:

      1. Use Retained Messages Sparingly: Only retain messages when absolutely necessary for new subscribers.
      2. Set Expiry: In mosquitto.conf, use message_expiry_interval <seconds> to set a global expiry time for retained messages. Clients can also set expiry intervals when publishing.
      3. Clear Retained Messages: Publish an empty payload to a retained topic to clear it.
      4. Use ACLs: Restrict which clients can publish retained messages using ACL rules (part of the broader ACL strategy).

    • Threats Mitigated:

      • Exposure of Stale Data (Severity: Medium): Expiry intervals ensure that old data is eventually removed.
      • Data Leakage (Severity: Medium): ACLs and careful use of retained messages limit the potential for sensitive data to be exposed.
      • Unexpected Behavior (Severity: Low): Clearing retained messages when they are no longer needed prevents unexpected behavior for new subscribers.

    • Impact:

      • Exposure of Stale Data: Risk significantly reduced with expiry intervals.
      • Data Leakage: Risk reduced with careful use and ACLs.
      • Unexpected Behavior: Risk minimized by clearing unnecessary retained messages.

    • Currently Implemented: Partially. There is no global message_expiry_interval set.

    • Missing Implementation: A global expiry interval should be set in mosquitto.conf. ACLs should be used to restrict publishing of retained messages (this is part of the missing ACL implementation).

Mitigation Strategy: Queue Limits

  • Mitigation Strategy: Queue Limits

    • Description:

      1. Edit mosquitto.conf: Open the configuration file.
      2. Set max_queued_messages: Add or modify this setting to limit the number of queued QoS 1 and 2 messages for disconnected clients. Example: max_queued_messages 100.
      3. Set max_inflight_messages: Add or modify this setting to limit the number of unacknowledged QoS 1 and 2 messages. Example: max_inflight_messages 20.
      4. Restart Mosquitto: Restart the service.

    • Threats Mitigated:

      • Resource Exhaustion (Severity: Medium): Limits memory usage by preventing excessive message queuing.
      • Denial of Service (DoS) (Severity: Medium): Indirectly helps mitigate DoS by limiting resource consumption.

    • Impact:

      • Resource Exhaustion: Risk significantly reduced, preventing uncontrolled growth of message queues.
      • Denial of Service (DoS): Some indirect mitigation by limiting resource consumption.

    • Currently Implemented: No. Neither max_queued_messages nor max_inflight_messages are set.

    • Missing Implementation: Both queue limit settings are missing, leaving the broker potentially vulnerable to resource exhaustion from queued messages.

Mitigation Strategy: Persistence Configuration

  • Mitigation Strategy: Persistence Configuration

    • Description:

      1. Edit mosquitto.conf: Open the configuration file.
      2. Set autosave_interval: Configure how often the persistent database is saved (in seconds). Example: autosave_interval 300 (5 minutes).
      3. Set persistence_location: Specify the directory for the persistence database. Example: persistence_location /var/lib/mosquitto/.
      4. Ensure Sufficient Disk Space: Make sure the chosen location has enough free space.
      5. Restart Mosquitto: Restart the service.

    • Threats Mitigated:

      • Data Loss (Severity: Medium): Controls how often data is saved, balancing performance and data loss risk.
      • Performance Degradation (Severity: Low): Avoids excessively frequent disk writes.
      • Disk Space Exhaustion (Severity: Medium): Ensuring sufficient disk space prevents crashes due to lack of storage.

    • Impact:

      • Data Loss: Risk balanced by choosing an appropriate autosave_interval.
      • Performance Degradation: Risk minimized by avoiding overly frequent saves.
      • Disk Space Exhaustion: Risk minimized by monitoring and providing sufficient disk space.

    • Currently Implemented: Partially. persistence is enabled, and persistence_location is set. autosave_interval is not explicitly set, using the default value.

    • Missing Implementation: autosave_interval should be explicitly set to a value appropriate for the application's needs, rather than relying on the default.