MongoDB Server Racy Authorization Vulnerability in Query Termination Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in MongoDB Server versions 7.0 prior to 7.0.26 and 8.0 prior to 8.0.14. The issue arises from a racy authorization check in the 'killCursors' command, which allows users with limited privileges to terminate queries executed by other users. This exploitation can prevent a portion of queries from completing successfully.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, where certain queries are interrupted and not allowed to finish, potentially causing disruptions in application performance or functionality.

Reproduction

The vulnerability can be reproduced by a user with access to the MongoDB cluster and limited privileges. When the 'killCursors' command is issued, the authorization check may incorrectly allow the command to proceed if the specified cursor ID is not found. However, because cursor IDs are generated using a predictable, non-cryptographic random number generator, there is a possibility that a cursor belonging to another user could be terminated if the timing is right. This can be done by observing cursor IDs, predicting the allocation of new IDs, and then killing those cursors before they can be used.

Remediation

Users can upgrade to MongoDB Server versions 7.0.26 or 8.0.14, where this vulnerability has been fixed.