Headline
GHSA-3v2x-9xcv-2v2v: SurrealDB Affected by Confused Deputy Privilege Escalation through Future Fields and Functions
Unprivileged users (for example, those with the database editor role) can create or modify fields in records that contain functions or futures. Futures are values which are only computed when the value is queried. The query executes in the context of the querying user, rather than the user who originally defined the future. Likewise, fields containing functions or custom-defined logic (closures) are executed under the privileges of the invoking user, not the creator.
This results in a confused deputy vulnerability: an attacker with limited privileges can define a malicious function or future field that performs privileged actions. When a higher-privileged user (such as a root owner or namespace administrator) executes the function or queries or modifies that record, the function executes with their elevated permissions.
Impact
An attacker who can create or update function/future fields can plant logic that executes with a privileged user’s context. If a privileged user performs a write that touches the malicious field, the attacker can achieve full privilege escalation (e.g., create a root owner and take over the server).
If a privileged user performs a read action on the malicious field, this attack vector could still be potentially be used to perform limited denial of service or, in the specific case where the network capability was explicitly enabled and unrestricted, exfiltrate database information over the network.
Patches
Versions prior to 2.5.0 and 3.0.0-beta.3 are vulnerable.
For SurrealDB 3.0, futures are no longer supported, replaced by computed fields, only available within schemaful tables.
Further to this patches for 2.5.0 and 3.0.0-beta.3:
- Implements an
auth_limiton defined apis, functions, fields and events, that limits execution to the permissions of the creating user instead of the invoking user. - Prevents
closuresfrom being stored, that eliminates a potential attack surface. For 2.5.0 this can still be allowed by using theinsecure_storable_closurescapability - Ensures the proper auth level is used to compute expressions in signin & signup
Workarounds
Users unable to patch are advised to evaluate their use of the database to identify where low privileged users are able to define logic subsequently executed by privileged users, such as apis, functions, futures fields and events, and recommended to minimise these instances.
References
Unprivileged users (for example, those with the database editor role) can create or modify fields in records that contain functions or futures. Futures are values which are only computed when the value is queried. The query executes in the context of the querying user, rather than the user who originally defined the future. Likewise, fields containing functions or custom-defined logic (closures) are executed under the privileges of the invoking user, not the creator.
This results in a confused deputy vulnerability: an attacker with limited privileges can define a malicious function or future field that performs privileged actions. When a higher-privileged user (such as a root owner or namespace administrator) executes the function or queries or modifies that record, the function executes with their elevated permissions.
Impact
An attacker who can create or update function/future fields can plant logic that executes with a privileged user’s context. If a privileged user performs a write that touches the malicious field, the attacker can achieve full privilege escalation (e.g., create a root owner and take over the server).
If a privileged user performs a read action on the malicious field, this attack vector could still be potentially be used to perform limited denial of service or, in the specific case where the network capability was explicitly enabled and unrestricted, exfiltrate database information over the network.
Patches
Versions prior to 2.5.0 and 3.0.0-beta.3 are vulnerable.
For SurrealDB 3.0, futures are no longer supported, replaced by computed fields, only available within schemaful tables.
Further to this patches for 2.5.0 and 3.0.0-beta.3:
- Implements an auth_limit on defined apis, functions, fields and events, that limits execution to the permissions of the creating user instead of the invoking user.
- Prevents closures from being stored, that eliminates a potential attack surface. For 2.5.0 this can still be allowed by using the insecure_storable_closures capability
- Ensures the proper auth level is used to compute expressions in signin & signup
Workarounds
Users unable to patch are advised to evaluate their use of the database to identify where low privileged users are able to define logic subsequently executed by privileged users, such as apis, functions, futures fields and events, and recommended to minimise these instances.
References
Futures
Closures
SurrealDB Environment Variables
References
- GHSA-3v2x-9xcv-2v2v
- surrealdb/surrealdb@f515c91
- https://github.com/surrealdb/surrealdb/releases/tag/v2.5.0
- https://github.com/surrealdb/surrealdb/releases/tag/v3.0.0-beta.2