ISSUE DESCRIPTION AND IMPACT
In MongoDB Enterprise, when a mongod server accepts authentication attempts via the PLAIN mechanism on the $external database and is configured to use the Cyrus SASL GSSAPI mechanism for LDAP binding, then passwords are not validated.
DIAGNOSIS AND AFFECTED VERSIONS
Users running MongoDB Enterprise 3.4 or 3.6 may be affected by this issue under the following conditions:
- MongoDB is on Linux or macOS, and
- The PLAIN authentication mechanism on MongoDB is enabled (--setParameter
authenticationMechanisms=PLAIN), and either
- MongoDB is configured to use native
LDAP authentication, and MongoDB is configured to use the Cyrus SASL GSSAPI
mechanism to bind to LDAP servers by setting security.ldap.bind.saslMechanisms
to contain 'GSSAPI', or
- MongoDB is configured to use saslauthd with the LDAP backend and with ldap_mech set to 'GSSAPI'
When all these conditions are present, authentication to the $external database is possible using only LDAP usernames. Unfortunately there is no way to determine if this vulnerability has been exploited by a malicious client.
None of the following deployments are affected by this issue:
- MongoDB 3.2 and MongoDB 4.0 deployments
- MongoDB deployments running on Microsoft Windows
- MongoDB deployments that have not been configured to use the Cyrus SASL GSSAPI mechanism to bind to LDAP servers
- MongoDB deployments that use the Cyrus SASL GSSAPI mechanism for LDAP authorization, but do not accept authentication attempts with the PLAIN authentication mechanism.
- MongoDB deployments that use the Cyrus SASL GSSAPI mechanism to bind to LDAP servers during LDAP authorization, which delegate inbound PLAIN authentication attempts to an instance of saslauthd that binds to LDAP servers via a mechanism other than GSSAPI.
REMEDIATION AND WORKAROUNDS
There are several solutions which may be used to mitigate this issue:
Administrators may disable the PLAIN mechanism for MongoDB, by removing 'PLAIN' from the authenticationMechanisms setParameter.
If the LDAP service account password is known, and MongoDB must accept inbound authentication attempts using the PLAIN mechanism, remove the ability to bind to LDAP servers using the Cyrus SASL GSSAPI mechanism. This can be done by changing the security.ldap.bind.saslMechanisms configuration parameter to a mechanism other than "GSSAPI"
If MongoDB must perform LDAP authorization against a server it binds to with GSSAPI, and if MongoDB must use GSSAPI to authenticate clients which present plaintext passwords, MongoDB can be configured to use GSSAPI to bind to LDAP servers, but must delegate PLAIN authentication attempts to a saslauthd instance using the 'kerberos5' backend.
Configure saslauthd to use the ‘kerberos5’ backend, consulting the saslauthd documentation as necessary, and configure MongoDB to use it by setting setParameter.saslauthdPath to point to saslauthd's Unix domain socket.
MongoDB 3.6.6 and 3.4.16, available for download, contain a mitigation for this issue. Since affected deployments will fail to start after an upgrade, administrators must correct their configuration before upgrading as described above.