Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Cannot Reproduce
Priority: Major - P3
Fix Version/s: None
Affects Version/s: None
Component/s: Security
Labels:
- 26qa

Operating System:
ALL
Steps To Reproduce:
Hide

1. Start a mongod instance:

$ mongod --version 2013-10-02T17:22:46.708+0000 git version: 7e57c5311b0b660cf2df6d3c2cd01245adbafe21 2013-10-02T17:22:46.709+0000 OpenSSL version: OpenSSL 0.9.8y 5 Feb 2013 $ mongod --sslOnNormalPorts --sslPEMKeyFile jstests/libs/server.pem --sslCRLFile jstests/libs/crl.pem --sslCAFile jstests/libs/ca.pem --auth

2. Connect to mongod:

$ mongo --version MongoDB shell version: 2.5.3-pre- $ mongo --ssl --sslPEMKeyFile client_invalid.pem > use $external > db.addUser({ ... user:"CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", ... roles:[ ... {name: 'clusterAdmin', source: 'admin', hasRole: true, 'canDelegate': true}, ... {name: 'userAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}, ... {name: 'readWriteAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}, ... {name: 'dbAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}]}); { "user" : "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", "roles" : [ { "name" : "clusterAdmin", "source" : "admin", "hasRole" : true, "canDelegate" : true }, { "name" : "userAdminAnyDatabase", "source" : "admin", "hasRole" : true, "canDelegate" : true }, { "name" : "readWriteAnyDatabase", "source" : "admin", "hasRole" : true, "canDelegate" : true }, { "name" : "dbAdminAnyDatabase", "source" : "admin", "hasRole" : true, "canDelegate" : true } ] } > db.auth({ user:"CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", ... mechanism:"MONGODB-X509"}) 1
Show
1. Start a mongod instance: $ mongod --version 2013-10-02T17:22:46.708+0000 git version: 7e57c5311b0b660cf2df6d3c2cd01245adbafe21 2013-10-02T17:22:46.709+0000 OpenSSL version: OpenSSL 0.9.8y 5 Feb 2013 $ mongod --sslOnNormalPorts --sslPEMKeyFile jstests/libs/server.pem --sslCRLFile jstests/libs/crl.pem --sslCAFile jstests/libs/ca.pem --auth 2. Connect to mongod: $ mongo --version MongoDB shell version: 2.5.3-pre- $ mongo --ssl --sslPEMKeyFile client_invalid.pem > use $external > db.addUser({ ... user:"CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", ... roles:[ ... {name: 'clusterAdmin', source: 'admin', hasRole: true, 'canDelegate': true}, ... {name: 'userAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}, ... {name: 'readWriteAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}, ... {name: 'dbAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}]}); { "user" : "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", "roles" : [ { "name" : "clusterAdmin", "source" : "admin", "hasRole" : true, "canDelegate" : true }, { "name" : "userAdminAnyDatabase", "source" : "admin", "hasRole" : true, "canDelegate" : true }, { "name" : "readWriteAnyDatabase", "source" : "admin", "hasRole" : true, "canDelegate" : true }, { "name" : "dbAdminAnyDatabase", "source" : "admin", "hasRole" : true, "canDelegate" : true } ] } > db.auth({ user:"CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", ... mechanism:"MONGODB-X509"}) 1
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

Users can be created and authenticate with an invalid x509 certificate (see example certificate attached). The provided certificate (client_invalid.pem) is invalid because the "Validity Not Before" is set to a date that has not yet arrived and the "Validity Not After" is a date already passed. The second provided certificate (client_invalid2.pem) has invalid values for public key algorithm, public key modulus, exponent, x509v3 extensions, signature algorithm, as well as negative values for version and serial number. Expected behavior is that mongod should not allow clients to connect who have an invalid x509 certificate.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

client_invalid2.pem
4 kB
Oct 02 2013 05:58:29 PM UTC
client_invalid.pem
6 kB
Oct 02 2013 05:42:06 PM UTC

Assignee:: Andreas Nilsson (Inactive)
Reporter:: Luke Lovett (Inactive)
Participants:: Andreas Nilsson, Luke Lovett
Votes:: 0 Vote for this issue
Watchers:: 7 Start watching this issue

Created:: Oct 02 2013 05:42:06 PM UTC
Updated:: Oct 09 2013 06:00:00 AM UTC
Resolved:: Oct 07 2013 03:12:02 PM UTC

Details

Description

Attachments

Attachments

Activity

People

Dates