HackDig : Dig high-quality web security articles for hacker

“Widespread” MongoDB Denial of Service Vulnerability Discovered

2015-03-28 16:50

Last month, researchers in Fortinet’s threat research division, FortiGuard Labs, discovered a vulnerability in MongoDB that would allow hackers to remotely crash the database application. Characterizing the vulnerability as “widespread”, the researchers successfully demonstrated a denial of service attack against legacy versions of the database that users could initiate remotely.

MongoDB has quickly become the most popular NoSQL database in use today. NoSQL was developed to address the need to store and process unstructured data that did not fit well into relational database systems like MySQL, driven by the explosion of Big Data applications. MongoDB’s implementation of NoSQL is used to power sites like eBay, Orbitz, and Foursquare, making vulnerabilities of particular concern.

To exploit this vulnerability, a hacker would need remote access to a MongoDB command line. MongoDB doesn’t require authentication by default and this attack works if authentication isn’t set up. In the more likely case that it is, an attacker could use any valid user credentials; the user does not need to be an administrator to execute the attack. Once the hacker had access, he would then submit a regular expression that met certain conditions; these conditions would cause a general system crash. There are several variants of the tested regular expression that may work, but we aren’t disclosing them here to avoid handing hackers the tools they need to initiate a DoS attacks on the many sites that use MongoDB.

The screen shot below shows the actual code execution in mongo.exe (the console for MongoDB) with the specific string redacted.

In the next screen shot, we see the database crash with an unhandled exception.

The vulnerability actually stems from an old PCRE library (a library of regular expressions used for pattern matching in the PERL programming language generally and MongoDB querying in particular). MongoDB has updated the library in versions 3.01 and 2.69 of the database (the latest versions of the two major releases in production), effectively removing the vulnerability. However, as with all major software installations, many organizations continue to use legacy versions of the database.

Exact statistics on versions in production environments aren’t available, but it’s safe to say that it’s time for an upgrade if you haven’t already moved to the latest versions. Because the update that fixes this vulnerability is relatively recent (March 17th, 2015), MongoDB users and administrators should be especially sensitive to available upgrades.

Further technical information on the vulnerability is available from MongoDB’s system dashboard.

Source: derevocsid-ytilibarenluv-ecivres-fo-lained-bdognom-daerpsediw/tsop/moc.tenitrof.golb

Read:2662 | Comments:0 | Tags: Vulnerability

““Widespread” MongoDB Denial of Service Vulnerability Discovered”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud