[SERVER-14614] Race condition in authentication could allow someone to authenticate as a different but same named user Created: 18/Jul/14 Updated: 12/Jul/17 Resolved: 19/Jun/17 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Brody (Inactive) | Assignee: | Spencer Jackson |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Backwards Compatibility: | Fully Compatible | ||||
| Operating System: | ALL | ||||
| Participants: | |||||
| Description |
|
In authentication_commands.cpp we load a user object, copy its credentials, release it, check if the credentials match and if so re-acquire the user object and add it to our list of authenticated users. There is an (unlikely to hit) race here where if a client begins an authentication as a user, and while doing so that user is dropped and a new user with the same name but a different password and different privileges is added, the client authenticating with the credentials of the first user could wind up authenticating successfully as the second user. |
| Comments |
| Comment by Spencer Jackson [ 19/Jun/17 ] |
|
Yes. The solution for SECURITY-445 was actually more comprehensive, as it prevented re-authorization of already authenticated users from encountering this same issue. I'm going to close this out as "Gone Away" with no further public comment, because |