CVE-2024-56178
📋 TL;DR
This vulnerability allows users with the security_admin_local role in Couchbase Server to create new users with admin privileges, bypassing intended role separation. It affects Couchbase Server 7.6.x through 7.6.3 installations where users have been granted the security_admin_local role.
💻 Affected Systems
- Couchbase Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with security_admin_local privileges could create a new user with full admin rights, gaining complete control over the Couchbase cluster including data access, configuration changes, and user management.
Likely Case
A legitimate user with security_admin_local role could unintentionally or intentionally escalate privileges by creating admin users, violating the principle of least privilege.
If Mitigated
With proper role separation and monitoring, the impact is limited to authorized users who already have significant administrative privileges.
🎯 Exploit Status
Exploitation requires authenticated access with security_admin_local privileges and knowledge of Couchbase user management commands.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.6.4 or later
Vendor Advisory: https://www.couchbase.com/alerts/
Restart Required: Yes
Instructions:
1. Download Couchbase Server 7.6.4 or later from official sources. 2. Backup all data and configurations. 3. Stop Couchbase Server services. 4. Install the updated version. 5. Restart Couchbase Server services. 6. Verify the upgrade was successful.
🔧 Temporary Workarounds
Remove security_admin_local role
allTemporarily remove the security_admin_local role from users until patching is complete
cbq -e http://localhost:8091 -u Administrator -p password -s "REVOKE security_admin_local FROM username"
Implement role monitoring
allMonitor user creation and role assignment activities
🧯 If You Can't Patch
- Review and audit all users with security_admin_local role, consider removing or restricting this role
- Implement strict monitoring and alerting for user creation and role assignment events
🔍 How to Verify
Check if Vulnerable:
Check Couchbase Server version with 'couchbase-server --version' and verify if it's between 7.6.0 and 7.6.3Check Version:
couchbase-server --versionVerify Fix Applied:
After patching, verify version is 7.6.4 or later and test that security_admin_local users cannot create admin users📡 Detection & Monitoring
Log Indicators:
- User creation events in Couchbase audit logs
- Role assignment events showing admin role being granted
Network Indicators:
- Unusual user management API calls from security_admin_local users
SIEM Query:
source="couchbase" AND (event_type="user_created" OR event_type="role_assigned") AND role="admin"