A crucial vulnerability has been identified in MongoDB, which allows unauthorized command execution for refining a collection shard key. This vulnerability affects MongoDB Server v5. versions prior to 5..22, MongoDB Server v6. versions prior to 6..11, and MongoDB Server v7. versions before 7..3.

The missing authorization check results in running the command directly on a shard, leading to degradation of query performance or revealing chunk boundaries through timing side channels. In this post, we'll discuss the relevant code snippets, the exploit details, and links to the original references for CVE-2024-6375.

Code Snippet

The vulnerability exists due to an oversight in the MongoDB source code, where an authorization check is missing for the refineCollectionShardKey command. The following code snippet can be found in the vulnerable MongoDB versions:

StatusWith<RefineCollectionShardKeyRequest> refineCollectionShardKeyRequestCreateFromBSON(
    const BSONObj& cmdObj) {
    RefineCollectionShardKeyRequest request;
    // ...
    if (cmdObj["refineCollectionShardKey"].type() == String) {
        auto fullNsElt = cmdObj["refineCollectionShardKey"];
        // ...
        request.setNss(NamespaceString(fullNsElt.checkAndGetStringData()));
    }
    // ...
    request.setShardKeyPattern(ShardKeyPattern(cmdObj.checkAndGetStringData()));
    return request;
}

Exploit Details

This vulnerability allows attackers to execute the refineCollectionShardKey command without proper authorization. By running this command directly on a shard, an attacker can cause either degradation of query performance or reveal chunk boundaries through timing side channels.

Furthermore, this security flaw could result in unauthorized access to sensitive data or even manipulation of the database, which poses grave risks for organizations using the affected MongoDB versions.

Original References

The MongoDB team has acknowledged the existence of this vulnerability and has issued patches to address it. Here are the links to the relevant version updates:

1. MongoDB Server v5..22: https://docs.mongodb.com/manual/release-notes/5.-changelog/#5..22-changelog
2. MongoDB Server v6..11: https://docs.mongodb.com/manual/release-notes/6.-changelog/#6..11-changelog
3. MongoDB Server v7..3: https://docs.mongodb.com/manual/release-notes/7.-changelog/#7..3-changelog

For those using vulnerable MongoDB versions, it is highly recommended to apply the updates as soon as possible. Alternatively, you can ensure proper access control is in place, limiting the potential for unauthorized command execution.

Timeline

Published on: 07/01/2024 15:15:17 UTC
Last modified on: 07/03/2024 14:54:52 UTC