[SERVER-35610] Refine LDAP options parsing Created: 15/Jun/18  Updated: 29/Oct/23  Resolved: 15/Jun/18

Status: Closed
Project: Core Server
Component/s: Internal Code
Affects Version/s: None
Fix Version/s: 3.4.16, 3.6.6, 4.0.0, 4.1.1

Type: Task Priority: Major - P3
Reporter: Spencer Jackson Assignee: Spencer Jackson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Related
Backwards Compatibility: Minor Change
Backport Requested:
v4.0, v3.6, v3.4
Sprint: Platforms 2018-06-18
Participants:
Case:

 Description   
Issue Status as of Jul 25, 2018

ISSUE DESCRIPTION AND IMPACT
In MongoDB Enterprise, when a mongod server accepts authentication attempts via the PLAIN mechanism on the $external database and is configured to use the Cyrus SASL GSSAPI mechanism for LDAP binding, then passwords are not validated.

DIAGNOSIS AND AFFECTED VERSIONS
Users running MongoDB Enterprise 3.4 or 3.6 may be affected by this issue under the following conditions:

  • MongoDB is on Linux or macOS, and
  • The PLAIN authentication mechanism on MongoDB is enabled (--setParameter
    authenticationMechanisms=PLAIN), and either
    • MongoDB is configured to use native
      LDAP authentication, and MongoDB is configured to use the Cyrus SASL GSSAPI
      mechanism to bind to LDAP servers by setting security.ldap.bind.saslMechanisms
      to contain 'GSSAPI', or
    • MongoDB is configured to use saslauthd with the LDAP backend and with ldap_mech set to 'GSSAPI'

When all these conditions are present, authentication to the $external database is possible using only LDAP usernames. Unfortunately there is no way to determine if this vulnerability has been exploited by a malicious client.

None of the following deployments are affected by this issue:

  • MongoDB 3.2 and MongoDB 4.0 deployments
  • MongoDB deployments running on Microsoft Windows
  • MongoDB deployments that have not been configured to use the Cyrus SASL GSSAPI mechanism to bind to LDAP servers
  • MongoDB deployments that use the Cyrus SASL GSSAPI mechanism for LDAP authorization, but do not accept authentication attempts with the PLAIN authentication mechanism.
  • MongoDB deployments that use the Cyrus SASL GSSAPI mechanism to bind to LDAP servers during LDAP authorization, which delegate inbound PLAIN authentication attempts to an instance of saslauthd that binds to LDAP servers via a mechanism other than GSSAPI.

REMEDIATION AND WORKAROUNDS
There are several solutions which may be used to mitigate this issue:

  • Option 1

    Administrators may disable the PLAIN mechanism for MongoDB, by removing 'PLAIN' from the authenticationMechanisms setParameter.

  • Option 2

    If the LDAP service account password is known, and MongoDB must accept inbound authentication attempts using the PLAIN mechanism, remove the ability to bind to LDAP servers using the Cyrus SASL GSSAPI mechanism. This can be done by changing the security.ldap.bind.saslMechanisms configuration parameter to a mechanism other than "GSSAPI"

  • Option 3

    If MongoDB must perform LDAP authorization against a server it binds to with GSSAPI, and if MongoDB must use GSSAPI to authenticate clients which present plaintext passwords, MongoDB can be configured to use GSSAPI to bind to LDAP servers, but must delegate PLAIN authentication attempts to a saslauthd instance using the 'kerberos5' backend.

    Configure saslauthd to use the ‘kerberos5’ backend, consulting the saslauthd documentation as necessary, and configure MongoDB to use it by setting setParameter.saslauthdPath to point to saslauthd's Unix domain socket.

FIX VERSIONS
MongoDB 3.6.6 and 3.4.16, available for download, contain a mitigation for this issue. Since affected deployments will fail to start after an upgrade, administrators must correct their configuration before upgrading as described above.



 Comments   
Comment by Githook User [ 19/Jun/18 ]

Author:

{'username': 'spencerjackson', 'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com'}

Message: SERVER-35610 Refine LDAP options parsing

(cherry picked from commit bc372f0a85334204f435a09cc178727ec48b5541)
(cherry picked from commit 75494e7da469302608a263823625d415d475ddb0)
Branch: v3.4
https://github.com/10gen/mongo-enterprise-modules/commit/65076202d73830200c78d4edd088c4d7a5df475c

Comment by Githook User [ 18/Jun/18 ]

Author:

{'username': 'spencerjackson', 'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com'}

Message: SERVER-35610 Refine LDAP options parsing

(cherry picked from commit bc372f0a85334204f435a09cc178727ec48b5541)
Branch: v3.6
https://github.com/10gen/mongo-enterprise-modules/commit/75494e7da469302608a263823625d415d475ddb0

Comment by Githook User [ 15/Jun/18 ]

Author:

{'username': 'spencerjackson', 'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com'}

Message: SERVER-35610 Refine LDAP options parsing

(cherry picked from commit bc372f0a85334204f435a09cc178727ec48b5541)
Branch: v4.0
https://github.com/10gen/mongo-enterprise-modules/commit/975a18a4c889dbb81468232095e61c88a96d3fef

Comment by Githook User [ 15/Jun/18 ]

Author:

{'username': 'spencerjackson', 'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com'}

Message: SERVER-35610 Refine LDAP options parsing
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/bc372f0a85334204f435a09cc178727ec48b5541

Generated at Thu Feb 08 04:40:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.