MongoDB admins accidentally expose 600TB of data

0
MongoDB admins accidentally expose 600TB of data

600TB of data exposed by admins due to using unpatched versions of NoSQL MongoDB database

System administrators of MongoDB database have exposed nearly exposed almost 595.2 Terabytes (TB) of MongoDB database by running outdated and unpatched versions of the NoSQL MongoDB database according to security researchers, John Matherly.
The open source MongoDB is the most popular NoSQL database used by companies of all sizes, from eBay and Sourceforge to The New York Times and LinkedIn.
Shodan hacker, Matherly said nearly 30,000 databases had been exposed because admins were using out of date versions of the NoSQL database which failed to bind to localhost.

“There’s a total of 595.2TB of data exposed on the internet via publicly accessible MongoDB instances that don’t have any form of authentication,” he said. “It turns out that MongoDB version 2.4.14 seems to be the last version that still listened to 0.0.0.0 [in which the platform listens for connections on all interfaces] by default, which looks like a maintenance release done on April 28, 2015,” he added.

While investigating NoSQL databases, Matherly focused on MongoDB that is growing in popularity.

“It turns out that MongoDB version 2.4.14 seems to be the last version that still listened to 0.0.0.0 [in which listening is enabled for all interfaces] by default, which looks like a maintenance release done on April 28, 2015,” Matherly wrote in a blog post.

The security issue had been brought to light over three years ago as a critical vulnerability, however it was only patched around 2 years ago according to Matherly.

Affected older versions of MongoDB lack a ‘bind_ip 127.0.0.1’ option set in the mongodb.conf, leaving their server vulnerable if the user is unaware of the setting, the 2012 security advisory stated.

“The default should be to lockdown as much as possible and only expose if the user requests it.”

Matherly said it appeared only older versions than 2.6 were affected – a significant problem given most users are on version 2.4.9 and 2.4.10, followed by 2.6.7, he wrote.

Majority of publicly exposed MongoDB instances run on cloud servers such as Amazon, Digital Ocean, Linode, and Internet service and hosting provider OVH and do so without authentication, making cloud services more buggy than datacenter hosting.

“My guess is that cloud images do not get updated as often, which translates into people deploying old and insecure versions of software,” Matherly said.

This isn’t first time when MongoDB instances are exposed to the Internet, back in February German researchers found nearly 40,000 MongoDB instances openly available on the Internet. Affected users are recommended to immediately switch to the latest versions as soon as possible.
When contacted about the security aspects, MongoDB VP, Kelly Stiman emailed to Techwork that,
“Recently a blog post was published that claimed some users had not properly secured their instances of MongoDB and were therefore at risk. As the article explains, the potential issue is a result of how a user might configure their deployment without security enabled.  There is no security issue with MongoDB – extensive security capabilities are included with MongoDB.

“We encourage all users to follow the guidelines we prescribe for security. Security best practices are summarised here [link below], or customers can contact MongoDB support. This is an important opportunity for everyone to ensure they are following security best practices.”

https://www.mongodb.com/blog/post/july-mongodb-security-best-practices

LEAVE A REPLY

Please enter your comment!
Please enter your name here