Fedora has issued an advisory on March 29: http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101630.html Mageia 2 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
Patched packages uploaded for Mageia 2 and Cauldron. Note to QA, exploits are available from a blog post linked in RedHat's bug, and there's a Metasploit module available for this. Advisory: ======================== Updated mongodb packages fix security vulnerability: MongoDB 2.4.1 and earlier is prone to a remote code-injection vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to inject and execute arbitrary code within the context of the affected application (CVE-2013-1892). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1892 http://www.securityfocus.com/bid/58695/info http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101630.html ======================== Updated packages in core/updates_testing: ======================== mongodb-2.0.3-4.1.mga2 mongodb-server-2.0.3-4.1.mga2 from mongodb-2.0.3-4.1.mga2.src.rpm
Version: Cauldron => 2Assignee: fundawang => qa-bugsWhiteboard: MGA2TOO => (none)
Testing complete i586 with metasploit and the exploit from here http://www.securityfocus.com/bid/58695/exploit Before ------ Edited /etc/mongod.conf and uncommented the port. # service mongod start Starting mongod (via systemctl): [ OK ] $ git clone https://github.com/bcoles/metasploit-framework.git metasploit Save the exploit to metasploit/modules/exploits/linux/misc/ $ cd metasploit $ ./msfconsole msf > use exploit/linux/misc/58695 msf exploit(58695) > set RHOST localhost RHOST => localhost msf exploit(58695) > exploit [*] Started reverse handler on 127.0.0.1:4444 [+] Mongo server localhost doesn't use authentication [+] New document created in collection atcf [*] Let's exploit, heap spray could take some time... [*] Exploit completed, but no session was created. In another terminal.. $ mongo MongoDB shell version: 2.0.3 connecting to: test Thu Apr 11 14:28:03 Error: couldn't connect to server 127.0.0.1 shell/mongo.js:84 exception: connect failed # systemctl restart mongod.service # systemctl status mongod.service mongod.service - High-performance, schema-free document-oriented database Loaded: loaded (/lib/systemd/system/mongod.service; enabled) Active: failed (Result: exit-code) since Thu, 11 Apr 2013 14:30:01 +0100; 2s ago Process: 12485 ExecStart=/usr/bin/mongod $OPTIONS --pidfilepath /var/run/mongo/mongo.pid run (code=exited, status=0/SUCCESS) Main PID: 12488 (code=exited, status=100) CGroup: name=systemd:/system/mongod.service So it appears we're not vulnerable to the remote code execution but it does kill the server so still a DOS. It also prevents the server from being restarted without rm -rf /var/lib/mongo/* Reading https://bugzilla.redhat.com/show_bug.cgi?id=928193#c2 Fedora found they were not vulnerable but don't mention the DOS. After ----- # rm -rf /var/lib/mongo/* # systemctl restart mongod.service # systemctl status mongod.service mongod.service - High-performance, schema-free document-oriented database Loaded: loaded (/lib/systemd/system/mongod.service; enabled) Active: active (running) since Thu, 11 Apr 2013 14:36:25 +0100; 2s ago $ mongo MongoDB shell version: 2.0.3 connecting to: test > exit bye Testing with metasploit again.. msf exploit(58695) > exploit [*] Started reverse handler on 127.0.0.1:4444 [+] Mongo server localhost doesn't use authentication [+] New document created in collection zqgr [*] Let's exploit, heap spray could take some time... [*] Exploit completed, but no session was created. # systemctl status mongod.service mongod.service - High-performance, schema-free document-oriented database Loaded: loaded (/lib/systemd/system/mongod.service; enabled) Active: active (running) since Thu, 11 Apr 2013 14:36:25 +0100; 2min 40s ago So the update prevents the DOS and the CVE is closed. Testing with a few bits from here.. http://docs.mongodb.org/manual/tutorial/getting-started/ Dropping the admin database created by metaploit > show dbs admin 0.0625GB local (empty) > use admin switched to db admin > db.dropDatabase() { "dropped" : "admin", "ok" : 1 } Followed the Getting Started tutorial OK.
Whiteboard: (none) => has_procedure mga2-32-ok
Testing complete on Mageia 2 x86-64. Could someone from the sysadmin team push the srpm mongodb-2.0.3-4.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated mongodb packages fix security vulnerability: MongoDB 2.4.1 and earlier is prone to a remote code-injection vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to inject and execute arbitrary code within the context of the affected application (CVE-2013-1892). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1892 http://www.securityfocus.com/bid/58695/info http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101630.html https://bugs.mageia.org/show_bug.cgi?id=9670
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2-32-ok => has_procedure mga2-32-ok MGA2-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0118
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED