CVE-2024-25141 - Mongo Hook SSL Connection Insecurity Due to "allow_insecure" Default Configuration

MongoDB is a popular NoSQL database which is frequently used for web applications and big-data purposes. As the number of users and the size of data grows, securing connections to MongoDB servers becomes a critical concern. In order to protect the confidentiality and integrity of data in transit, SSL/TLS encryption for connections to MongoDB servers can be enabled. However, a recent vulnerability discovered, identified as CVE-2024-25141, could lead to insecure SSL/TLS connections and potential risks of data leakage.

Exploit Details

The CVE-2024-25141 vulnerability exists in a feature called the Mongo Hook. When SSL is enabled for connections using the Mongo Hook, the default settings include the option "allow_insecure," causing SSL/TLS certificates to not be validated. This behavior was unexpected and undocumented, making it difficult for the user to find out about the issue.

"allow_insecure" is a security risk that could lead to man-in-the-middle attacks, data tampering, and unauthorized access to sensitive data stored in MongoDB. By not validating the SSL certificates, an attacker can intercept the connection between client and server, initiate a fake MongoDB server, and manipulate the data as they desire.

The vulnerable code snippet below demonstrates the default settings which include "allow_insecure"

def __init__(self, conn_id: str) -> None:
    self.mongo = MongoHook(conn_id)
    self.conn = self.mongo.get_conn()
    self.db = self.conn[self.mongo.schema]
    self.collection = self.db[self.mongo.table]

    # Start: Insecure connection settings
    self.ssl = self.mongo.port in (465, 587)

    if self.ssl:
        self.transport = create_transport(
            "allow_insecure": True,
        )
    # End: Insecure connection settings

Mitigation Steps

To address this vulnerability, users are recommended to upgrade to version 4.., which removes the "allow_insecure" option and enforces SSL/TLS certificate validation by default. The updated code snippet can be seen below:

def __init__(self, conn_id: str) -> None:
    self.mongo = MongoHook(conn_id)
    self.conn = self.mongo.get_conn()
    self.db = self.conn[self.mongo.schema]
    self.collection = self.db[self.mongo.table]

    # Start: Secure connection settings
    self.ssl = self.mongo.port in (465, 587)

    if self.ssl:
        self.transport = create_transport()
    # End: Secure connection settings

Upgrading to version 4.. can be done by following the instructions in the official release notes from the MongoDB website at the following link: MongoDB 4.. Release Notes

Conclusion

In conclusion, the CVE-2024-25141 vulnerability exposes MongoDB connections using the Mongo Hook feature to insecure SSL/TLS connections, potentially leading to data tampering, unauthorized access, and man-in-the-middle attacks. It is crucial to be aware of this vulnerability and apply the suggested mitigation steps by upgrading to version 4.. or higher. Always remember to review and maintain robust and secure configurations to ensure that your applications are safe from potential threats.

Timeline

Published on: 02/20/2024 21:15:08 UTC
Last modified on: 02/20/2024 22:15:08 UTC