GHSA-3v2x-9xcv-2v2v

Unprivileged users (for example, those with the database editor role) can create or modify fields in records that contain functions or futures. Futures are values which are only computed when the value is queried. The query executes in the context of the querying user, rather than the user who originally defined the future. Likewise, fields containing functions or custom-defined logic (closures) are executed under the privileges of the invoking user, not the creator.

This results in a confused deputy vulnerability: an attacker with limited privileges can define a malicious function or future field that performs privileged actions. When a higher-privileged user (such as a root owner or namespace administrator) executes the function or queries or modifies that record, the function executes with their elevated permissions. 

Impact

An attacker who can create or update function/future fields can plant logic that executes with a privileged user’s context. If a privileged user performs a write that touches the malicious field, the attacker can achieve full privilege escalation (e.g., create a root owner and take over the server). 

If a privileged user performs a read action on the malicious field, this attack vector could still be potentially be used to perform limited denial of service or, in the specific case where the network capability was explicitly enabled and unrestricted, exfiltrate database information over the network.

Patches

Versions prior to 2.5.0 and 3.0.0-beta.3 are vulnerable.

For SurrealDB 3.0, futures are no longer supported, replaced by computed  fields, only available within schemaful tables. 

Further to this patches for 2.5.0 and 3.0.0-beta.3: 

• Implements an auth_limit on defined apis, functions, fields and events, that limits execution to the permissions of the creating user or the invoking user, whichever is lower.
• Prevents closures from being stored, that eliminates a potential attack surface. For 2.5.0 this can still be allowed by using the insecurestorableclosures capability
• Ensures the proper auth level is used to compute expressions in signin & signup

For existing apis, events, fields and functions defined prior to upgrading to 2.5.0 or 3.0.0-beta.3 `authlimit will not apply, to avoid breaking changes. These will need to subsequently be redefined so that authlimit` can take effect.

Workarounds

Users unable to patch are advised to evaluate their use of the database to identify where low privileged users are able to define logic subsequently executed by privileged users, such as apis, functions, futures fields and events, and recommended to minimise these instances.

References

Futures

Closures

SurrealDB Environment Variables