Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-100969

Mismatched x.509 subject CN grants cluster memberhip via mTLS in Replica Set

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Works as Designed
    • Priority: Icon: Critical - P2 Critical - P2
    • None
    • Affects Version/s: 7.0.15
    • Component/s: None
    • Server Security
    • ALL
    • Hide
      1. Set up a MongoDB 7.0.15 replica set with mTLS authentication enabled on Ubuntu 22.04.
      2. Generate an x.509 certificate for replica set members (e.g., CN=db1.example.com, O=MyOrg, OU=MyUnit).
      3. Configure replica set to use x.509 internally
      4. Generate a separate x.509 certificate with the same OOU, but a different CN (e.g., CN=malicious-client, O=MyOrg, OU=MyUnit).
      5. Use this certificate to authenticate to the replica set.
      6. Run the following command to check privileges:
        db.runCommand({ connectionStatus: 1, showPrivileges: true })
      7. Observe the output:
        {{
        Unknown macro: { "authInfo"}
        ]
        },
        "ok": 1.0,
        "$clusterTime":
        Unknown macro: {"clusterTime"}
        }
      Show
      Set up a MongoDB  7.0.15  replica set with  mTLS authentication enabled  on  Ubuntu 22.04 . Generate an x.509 certificate for replica set members (e.g., CN= db1.example.com , O=MyOrg, OU=MyUnit ). Configure replica set to use x.509 internally Generate a separate x.509 certificate with the same  O ,  OU , but a different CN (e.g.,  CN=malicious-client, O=MyOrg, OU=MyUnit ). Use this certificate to authenticate to the replica set. Run the following command to check privileges: db.runCommand({ connectionStatus: 1, showPrivileges: true }) Observe the output: {{ Unknown macro: { "authInfo"} ] }, "ok": 1.0, "$clusterTime": Unknown macro: {"clusterTime"} }
    • RnD Security 2025-03-03
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      When using mTLS/x.509 for authentication within a replica set, any client presenting a certificate with a subject that differs only by the Common Name (CN) from a replica set member's Fully Qualified Domain Name (FQDN) can successfully authenticate and be treated as a cluster member.

      Expected Behavior:
      A client certificate should not be authorized with privileges unless explicitly added as a user in the $external authentication database. Any user with a CN different from a replica set member's FQDN should be required to have explicit authorization in $external to gain any privileges.

            Assignee:
            varun.ravichandran@mongodb.com Varun Ravichandran
            Reporter:
            gabriel.lindeborg@svenskaspel.se Gabriel Lindeborg
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:
              None
              None
              None
              None