600TB MongoDB Database ‘accidentally’ exposed on the Internet

This huge MongoDB database isn’t exposed due to a flaw in its latest version of the software, but due to the use of out-of-date and unpatched versions of the platform that fail to bind to localhost.

While investigating NoSQL databases, Matherly focused on MongoDB that is growing in popularity.

“It turns out that MongoDB version 2.4.14 seems to be the last version that still listened to 0.0.0.0 [in which listening is enabled for all interfaces] by default, which looks like a maintenance release done on April 28, 2015,” Matherly wrote in a blog post.

The security issue was first reported as a critical vulnerability back in February of 2012 by Roman Shtylman, but it took MongoDB developers a bit more than two years to rectify this security flaw.

Affected, outdated versions of MongoDB database do not have a ‘bind_ip 127.0.0.1′ option set in the mongodb.conf, potentially leaving users’ server vulnerable if they are not aware of this setting.

According to Shtylman, “The default should be to lockdown as much as possible and only expose if the user requests it.”

Affected Versions

Earlier instances of version 2.6 appeared to have been affected, significantly putting users of MongoDB database version 2.4.9 and 2.4.10, followed by 2.6.7, at risk.

Majority of publicly exposed MongoDB instances run on cloud servers such as Amazon, Digital Ocean, Linode, and Internet service and hosting provider OVH and do so without authentication, making cloud services more buggy than datacenter hosting.

“My guess is that cloud images do not get updated as often, which translates into people deploying old and insecure versions of software,” Matherly said.

Affected users are recommended to immediately switch to the latest versions as soon as possible.

This isn’t first time when MongoDB instances are exposed to the Internet, back in February German researchers found nearly 40,000 MongoDB instances openly available on the Internet.

via 600TB MongoDB Database ‘accidentally’ exposed on the Internet.


No Comments so far.

Leave a Reply