Description
This report identifies hosts that have the MongoDB NoSQL database running and accessible on the Internet. While authentication is available for MongoDB, in many instances this authentication is not enabled.
- Our initial probe tests to see if MongoDB is accessible on the Internet and collecting the system information that it discloses.
- A secondary probe is then performed to determine if a list of databases can be obtained. If an error message is generated in response to this probe, the “visible_databases” field will say “none visible”, but if no error message is generated (indicating that no authentication is in use), the “visible_databases” field will list the first five databases that were returned.
Assessment
The entries in this report are hosts that have the MongoDB service open towards the internet. This service has multiple vulnerabilities which allow an attacker to extract data from the DB. The report includes the version of MongoDB, which makes it easy to map its vulnerabilities. Additionally, there are a lot of MongoDB services which are not secured. This means an attacker can extract data and make changes while unauthenticated. There have been hacking groups doing this on a mass scale like Unistellar. The likelihood of an attacker abusing one of the detected MongoDB services is medium. It requires manual verification to identify vulnerabilities and to assess the configured security of the service. If an attacker successfully breaches a MongoDB service, he/she will have read and/or write access to the database. That is why the impact is set to high.
Recommendations
- Restrict access to the database server to internal networks.
- If remote access is necessary to use a VPN or at least enable authentication[2] and make sure strong passwords are used.
References
Shadow Server – MongoDB Scanning Project
MongoDB – Homepage
MITRE – MongoDB CVE