CVE-2024-8013 - Query Analysis Bug in Encrypted Fields of MongoDB Enterprise Server Causing Data Leak

Summary: A security vulnerability has been discovered in MongoDB Enterprise Server, affecting the mongocryptd binary and the mongo_crypt_v1.so shared libraries. This bug results in the leakage of plaintext data from encrypted fields in certain complex $lookup subpipelines, which potentially exposes sensitive information. This post provides a detailed breakdown of the issue, as well as information on affected versions and how to patch the problem.

Overview

A critical vulnerability (CVE-2024-8013) has been identified in the MongoDB Enterprise Server's handling of encrypted fields in certain self-referential $lookup subpipelines. When these subpipelines are used improperly, data that should be sent to the server as ciphertext is instead sent as plaintext, potentially exposing sensitive information. This issue arises due to a bug in the query analysis of the MongoDB Enterprise Server that affects specific versions of the mongocryptd binary and the mongo_crypt_v1.so shared libraries.

Consider the following hypothetical MongoDB aggregation pipeline

db.collection.aggregate([
  {
    $lookup: {
      from: "collection2",
      let: { orig_id: "$original_id" },
      as: "alias",
      pipeline: [
        {
          $match: {
            $expr: {
              $eq: ["$related_id", "$$orig_id"]
            }
          }
        }
      ]
    }
  }
])

In this example, we have a self-referential $lookup subpipeline that links two collections based on matching the "original_id" field from one collection to the "related_id" field in another collection. If the "original_id" or "related_id" fields are encrypted, the plaintext values may be sent to the server improperly due to the CVE-2024-8013 vulnerability.

Exploit Details

This vulnerability potentially allows an attacker to access the plaintext values of encrypted fields, which could expose sensitive data, such as personal information, payment details, or confidential records.

This issue only affects users of the MongoDB Enterprise Server who are utilizing the Client-Side Field Level Encryption (CSFLE) feature with complex self-referential $lookup subpipelines.

If exploited, no documents would be returned or written, which might indicate to an administrator that something is incorrect with their queries or server configuration, but may not immediately reveal the exposure of sensitive information.

Recommendation

To address this vulnerability, users should update their MongoDB Enterprise Server instances to the latest patched versions mentioned above. MongoDB regularly releases updates and patches for its products, and it is crucial to remain vigilant in keeping software up-to-date.

For additional information, refer to the MongoDB Security Advisories page, which provides a comprehensive list of security advisories, patches, and affected versions:

- MongoDB Security Advisories

Also, refer to the MongoDB documentation on Client-Side Field-Level Encryption (CSFLE) for a deeper understanding and best practices related to handling encrypted data:

- MongoDB Client-Side Field-Level Encryption (CSFLE) Documentation

Timeline

Published on: 10/28/2024 13:15:10 UTC
Last modified on: 10/28/2024 13:58:09 UTC