Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-70549

Speculative authentication with SCRAM-SHA-256 disabled on mongod creates audit message

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 6.3.0-rc0
    • Affects Version/s: 4.4.16
    • Component/s: None
    • Labels:
      None
    • Server Security
    • Fully Compatible
    • ALL
    • Hide
      • Run a standalone server 4.4.x with auditing enabled (no filter), setParameter authenticationMechanisms has SCRAM-SHA-1 but not SCRAM-SHA-256.
      • Create a test SCRAM user and authenticate with that user in mongosh.
      • In the mongod log, notice there is a speculative authentication attempt against SCRAM-SHA 256 from the node.js driver even though it's disabled at the server.
      • In the audit log, notice an audit log message for the SCRAM-SHA-256 speculative login attempt with result code 18.
      Show
      Run a standalone server 4.4.x with auditing enabled (no filter), setParameter authenticationMechanisms has SCRAM-SHA-1 but not SCRAM-SHA-256. Create a test SCRAM user and authenticate with that user in mongosh. In the mongod log, notice there is a speculative authentication attempt against SCRAM-SHA 256 from the node.js driver even though it's disabled at the server. In the audit log, notice an audit log message for the SCRAM-SHA-256 speculative login attempt with result code 18.
    • Security 2022-12-12, Security 2022-12-26, Security 2023-01-09, Security 2023-01-23
    • 141

      When running with SCRAM-SHA-256 not enabled on a mongod server, speculative authentication attempts with SCRAM-SHA-256 cause audit messages to be logged indicating authentication failures (result code 18).

      This is undesirable, as the appearance of an authentication failure message in the audit log can be taken as an indication that someone is actually trying to login with a bad password.

      The ask here is to stop triggering audit events for speculative authentication failures.

            Assignee:
            militsa.sotirova@mongodb.com Militsa Sotirova
            Reporter:
            spencer.brown@mongodb.com Spencer Brown
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: