| Summary: | mongodb new security issue CVE-2013-1892 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | davidwhodgins, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/546486/ | ||
| Whiteboard: | has_procedure mga2-32-ok MGA2-64-OK | ||
| Source RPM: | mongodb-2.2.2-2.mga3.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-04-08 22:52:19 CEST
David Walser
2013-04-08 22:52:25 CEST
Whiteboard:
(none) =>
MGA2TOO Patched packages uploaded for Mageia 2 and Cauldron. Note to QA, exploits are available from a blog post linked in RedHat's bug, and there's a Metasploit module available for this. Advisory: ======================== Updated mongodb packages fix security vulnerability: MongoDB 2.4.1 and earlier is prone to a remote code-injection vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to inject and execute arbitrary code within the context of the affected application (CVE-2013-1892). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1892 http://www.securityfocus.com/bid/58695/info http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101630.html ======================== Updated packages in core/updates_testing: ======================== mongodb-2.0.3-4.1.mga2 mongodb-server-2.0.3-4.1.mga2 from mongodb-2.0.3-4.1.mga2.src.rpm Version:
Cauldron =>
2 Testing complete i586 with metasploit and the exploit from here http://www.securityfocus.com/bid/58695/exploit Before ------ Edited /etc/mongod.conf and uncommented the port. # service mongod start Starting mongod (via systemctl): [ OK ] $ git clone https://github.com/bcoles/metasploit-framework.git metasploit Save the exploit to metasploit/modules/exploits/linux/misc/ $ cd metasploit $ ./msfconsole msf > use exploit/linux/misc/58695 msf exploit(58695) > set RHOST localhost RHOST => localhost msf exploit(58695) > exploit [*] Started reverse handler on 127.0.0.1:4444 [+] Mongo server localhost doesn't use authentication [+] New document created in collection atcf [*] Let's exploit, heap spray could take some time... [*] Exploit completed, but no session was created. In another terminal.. $ mongo MongoDB shell version: 2.0.3 connecting to: test Thu Apr 11 14:28:03 Error: couldn't connect to server 127.0.0.1 shell/mongo.js:84 exception: connect failed # systemctl restart mongod.service # systemctl status mongod.service mongod.service - High-performance, schema-free document-oriented database Loaded: loaded (/lib/systemd/system/mongod.service; enabled) Active: failed (Result: exit-code) since Thu, 11 Apr 2013 14:30:01 +0100; 2s ago Process: 12485 ExecStart=/usr/bin/mongod $OPTIONS --pidfilepath /var/run/mongo/mongo.pid run (code=exited, status=0/SUCCESS) Main PID: 12488 (code=exited, status=100) CGroup: name=systemd:/system/mongod.service So it appears we're not vulnerable to the remote code execution but it does kill the server so still a DOS. It also prevents the server from being restarted without rm -rf /var/lib/mongo/* Reading https://bugzilla.redhat.com/show_bug.cgi?id=928193#c2 Fedora found they were not vulnerable but don't mention the DOS. After ----- # rm -rf /var/lib/mongo/* # systemctl restart mongod.service # systemctl status mongod.service mongod.service - High-performance, schema-free document-oriented database Loaded: loaded (/lib/systemd/system/mongod.service; enabled) Active: active (running) since Thu, 11 Apr 2013 14:36:25 +0100; 2s ago $ mongo MongoDB shell version: 2.0.3 connecting to: test > exit bye Testing with metasploit again.. msf exploit(58695) > exploit [*] Started reverse handler on 127.0.0.1:4444 [+] Mongo server localhost doesn't use authentication [+] New document created in collection zqgr [*] Let's exploit, heap spray could take some time... [*] Exploit completed, but no session was created. # systemctl status mongod.service mongod.service - High-performance, schema-free document-oriented database Loaded: loaded (/lib/systemd/system/mongod.service; enabled) Active: active (running) since Thu, 11 Apr 2013 14:36:25 +0100; 2min 40s ago So the update prevents the DOS and the CVE is closed. Testing with a few bits from here.. http://docs.mongodb.org/manual/tutorial/getting-started/ Dropping the admin database created by metaploit > show dbs admin 0.0625GB local (empty) > use admin switched to db admin > db.dropDatabase() { "dropped" : "admin", "ok" : 1 } Followed the Getting Started tutorial OK. Whiteboard:
(none) =>
has_procedure mga2-32-ok Testing complete on Mageia 2 x86-64. Could someone from the sysadmin team push the srpm mongodb-2.0.3-4.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated mongodb packages fix security vulnerability: MongoDB 2.4.1 and earlier is prone to a remote code-injection vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to inject and execute arbitrary code within the context of the affected application (CVE-2013-1892). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1892 http://www.securityfocus.com/bid/58695/info http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101630.html https://bugs.mageia.org/show_bug.cgi?id=9670 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0118 Status:
NEW =>
RESOLVED |