[SERVER-13166] Enabled authentication still allows remote login without username Created: 12/Mar/14  Updated: 10/Dec/14  Resolved: 13/Mar/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.4.9
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Ryan Van Antwerp Assignee: Andreas Nilsson
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-12143 Make some unauthenticated commands re... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

1. Install mongodb 2.4.9 server and configure with default settings
2. Add auth=true to mongodb.conf
3. Add an admin user, as per the manual
4. Restart mongodb
5. Attempt to connect from a remote host without specifying a username

Participants:

 Description   

MongoDB server 2.4.9 with auth=true in mongodb.conf. Admin user created as per manual. Authenticated users can connect fine. Attempting to connect with any username and either no passord or an incorrect password results in the following:

$ mongo <host> -u username
MongoDB shell version: 2.4.9
connecting to: <host>/test
Wed Mar 12 14:02:00.125 Error: 18

{ code: 18, ok: 0.0, errmsg: "auth fails" }

at src/mongo/shell/db.js:228
exception: login failed

However, omitting a username allows a shell connection with limited access:

$ mongo <host>
MongoDB shell version: 2.4.9
connecting to: <host>/test
> db.system.users.find()
error:

{ "$err" : "not authorized for query on test.system.users", "code" : 16550 }

> db.version()
2.4.9
> db.adminCommand(

{forceerror:1}

)

{ "errmsg" : "exception: forced error", "code" : 10038, "ok" : 0 }

This could allow log clutter, server recon, and DoS depending on the architecture of the server.



 Comments   
Comment by Andreas Nilsson [ 13/Mar/14 ]

By design it is always possible to connect with the shell to the server without authenticating as a specific user. Once the connection is established there are a few commands that need to be executable without authentication, including the commands used to set up an authenticated connection.

As noted in this ticket there are currently a few commands available, such as forceerror that are not needed unless authenticated. There is an existing ticket SERVER-12143 to reduce the number of commands possible in unauthenticated mode.

My suggestion is that we close this ticket and continues the discussion regarding the unauthenticated command surface in SERVER-12143.

Generated at Thu Feb 08 03:30:51 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.