Listen to this Post
The vulnerability exploits SurrealDB’s real-time LIVE query mechanism. When a user subscribes to a LIVE SELECT query on a table, the database engine pushes updates for all record changes. The flaw exists in the notification filtering logic. Upon a record update or deletion, the system incorrectly broadcasts the change event to all active LIVE query subscribers for that table, without first re-validating the permissions of each subscriber against the altered record’s new state. A low-privilege user can establish a subscription to a table. When a higher-privileged user modifies a record the attacker should not see, the event containing the record data is still sent to the low-privilege subscriber, as the authorization check is only performed at the initial subscription time and not re-evaluated for subsequent data pushes, leading to unauthorized data exposure.
Platform: SurrealDB
Version: Specific versions unknown
Vulnerability: Access Control Bypass
Severity: Moderate
date: 2024-09-26
Prediction: Patch expected by 2024-10-10
What Undercode Say:
curl -X POST "http://localhost:8000/sql" -H "NS: test" -H "DB: test" -u "user:pass" -d "LIVE SELECT FROM records;" Attacker's session receives events for all record changes.
// Example SurrealDB live query connection
db.live('records', ({ action, result }) => {
console.log(action, result); // Logs unauthorized data
});
How Exploit:
An attacker authenticates with minimal ‘record’ or ‘guest’ permissions and subscribes to a LIVE SELECT query on a sensitive table. They then wait for or induce an authorized user to update or delete records within that table. The attacker’s client receives real-time notifications containing the full content of the altered records, bypassing table-level and record-level access controls.
Protection from this CVE:
Immediately audit and restrict LIVE query permissions. Apply the vendor patch upon release. As a temporary mitigation, consider disabling LIVE queries for all low-privilege users or for tables containing sensitive data until the patch is applied.
Impact:
Unauthorized disclosure of sensitive information stored in the database. Potential exposure of all data within a table subscribed to via a LIVE query, contingent on other users modifying records.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
