Code execution on Windows via OpenSSL engine injection

Vulnerability

CVE-2019-2390 affects MongoDB Server versions 4.0 prior to 4.0.11, 3.6 prior to 3.6.14, and 3.4 prior to 3.4.22 on the Windows platform. The vulnerability arises because an unprivileged user or program can create OpenSSL configuration files in a fixed, writable location. When MongoDB utility programs (shipped with the server) load OpenSSL configurations, they may read from this location, allowing attacker-controlled code to be executed in the context of the user running the utility [1].

Exploitation

An attacker must have the ability to create or write files to the fixed OpenSSL configuration directory on Windows. No special privileges are needed beyond standard user access. The attacker creates a malicious OpenSSL configuration file in that location. When a MongoDB utility (such as mongo, mongodump, etc.) is subsequently executed by a user, the utility loads the configuration, which triggers the execution of the attacker’s code. The attack requires no user interaction beyond normal invocation of the utility [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the user running the MongoDB utility. This can lead to full compromise of the user’s session and potentially the system, depending on the user’s rights. The impact is limited to Windows systems and does not affect MongoDB server processes directly, but rather the auxiliary tools [1].

Mitigation

MongoDB fixed this issue in versions 4.0.11, 3.6.14, and 3.4.22. Users should upgrade to these or later versions. There is no known workaround for older versions other than restricting write access to the OpenSSL configuration directory. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog at the time of publication [1].