Discovered 40000 vulnerable MongoDB databases on the Internet by Pierluigi Paganini.
From the post:
Today MongoDB is used by many organizations, the bad news is that nearly 40,000 entities running MongoDB are exposed and vulnerable to risks of hacking attacks.
Three students from University of Saarland in Germany, Kai Greshake, Eric Petryka and Jens Heyens, discovered that MongoDB databases running at TCP port 27017 as a service of several thousand of commercial web servers are exposed on the Internet without proper defense measures.
In MongoDB databases at risk – Several thousand MongoDBs without access control on the Internet, Jens Heyens, Kai Greshake, Eric Petryka, report the cause as:
The reason for this problem is twofold:
- The defaults of MongoDB are tailored for running it on the same physical machine or virtual machine instances.
- The documentations and guidelines for setting up MongoDB servers with Internet access may not be sufficiently explicit when it comes to the necessity to activate access control, authentication, and transfer encryption mechanisms.
Err, “…may not be sufficiently explicit…?”
You think?
Looking at Install MongoDB on Ubuntu, do you see a word about securing access to MongoDB? Nope.
How about Security Introduction? A likely place for new users to check. Nope.
Authentication has your first clue about the localhost exception but doesn’t mention network access at all.
You finally have to reach Network Exposure and Security before you start learning how to restrict access to your MongoDB instance.
Or if you have grabbed the latest MongoDB documentation as a PDF file (2.6), the security information you need starts at page 286.
I setup a MongoDB instance a couple of weeks ago and remember being amazed that there wasn’t even a default admin password. As a former sysadmin I knew that was trouble to hunted through the documentation until finally hitting upon the necessary information.
Limiting access to a MongoDB instance should be included in the installation document. With bold, perhaps even red letters saying the security steps are necessary before starting your MongoDB instance.
Failure to provide security instructions has resulted in 39,890 vulnerable MongoDBs on the Internet.
Failed to be explicit? More like failed documentation. (full stop)
Users do a bad enough job with security without providing them with bad documentation.
Call me if you need $paid documentation assistance.