600TB of data exposed by admins due to using unpatched versions of NoSQL MongoDB database
“There’s a total of 595.2TB of data exposed on the internet via publicly accessible MongoDB instances that don’t have any form of authentication,” he said. “It turns out that MongoDB version 2.4.14 seems to be the last version that still listened to 0.0.0.0 [in which the platform listens for connections on all interfaces] by default, which looks like a maintenance release done on April 28, 2015,” he added.
“It turns out that MongoDB version 2.4.14 seems to be the last version that still listened to 0.0.0.0 [in which listening is enabled for all interfaces] by default, which looks like a maintenance release done on April 28, 2015,” Matherly wrote in a blog post.
The security issue had been brought to light over three years ago as a critical vulnerability, however it was only patched around 2 years ago according to Matherly.
Affected older versions of MongoDB lack a ‘bind_ip 127.0.0.1’ option set in the mongodb.conf, leaving their server vulnerable if the user is unaware of the setting, the 2012 security advisory stated.
“The default should be to lockdown as much as possible and only expose if the user requests it.”
Matherly said it appeared only older versions than 2.6 were affected – a significant problem given most users are on version 2.4.9 and 2.4.10, followed by 2.6.7, he wrote.
“My guess is that cloud images do not get updated as often, which translates into people deploying old and insecure versions of software,” Matherly said.
“Recently a blog post was published that claimed some users had not properly secured their instances of MongoDB and were therefore at risk. As the article explains, the potential issue is a result of how a user might configure their deployment without security enabled. There is no security issue with MongoDB – extensive security capabilities are included with MongoDB.
“We encourage all users to follow the guidelines we prescribe for security. Security best practices are summarised here [link below], or customers can contact MongoDB support. This is an important opportunity for everyone to ensure they are following security best practices.”