MongoDB, a popular NoSQL database used in big data and heavy analytics environments, has patched a serious denial-of-service vulnerability that is remotely exploitable.
Companies using the default installation of MongoDB, which does not require authentication to access the database, are urged to update immediately to a patched version, and set up authentication. Hackers using a Shodan query or scanning the Internet for vulnerable installations, can easily find MongoDB servers online. According to the MongoDB website, large organizations such as MetLife, Bosch, Expedia, and The Weather Channel have the database in production for a variety of uses.
Researchers at Fortinet’s FortiGuard Labs discovered the vulnerability in separate areas of MongoDB on Feb. 20 and 23 respectively, and disclosed privately immediately to MongoDB, which made updates available on March 17.
“A potential attacker doesn’t have to be authenticated or have rights to the database to exploit the vulnerability,” said Aamir Lakhani, security strategist, FortiGuard Labs. “All they have to do is send a crafted packet, a particular regex query, to crash the database.”
According to an advisory on the Fortinet website, the vulnerability is in an old PCRE library (8.30) of regular expressions used in MongoDB querying. MongoDB patched the library in version 3.0.1 and 2.6.9, the last two major releases in production. Up-to-date versions of MongoDB ship with a patched version of PCRE (8.36 and beyond).
“I would say a skilled attacker who understands regex wouldn’t have too much of a difficult time with this attack, especially after examining the code,” Lakhani said. “Some things would stand out with a skilled attacker. And at some point as usually happens with these things, someone will automate it or develop a Metasploit plugin that will make an exploit easy to execute.”
Cutting into that simplicity would be the enablement of authentication.
“You can set up Mongo to ensure authentication is required. It’s the recommended best practice,” Lakhani said. “If Mongo is set up in a way that does not allow for anonymous access, at that point, an anonymous user cannot run an attack. But if a user has legitimate credentials, they can execute the same attack.”
The Fortinet exploit is basically a regular expression that meets a number of conditions that would cause the database to crash. Variants of the crafted regex work, Fortinet said, but it did not disclose the details.
“There are several ways to carry out an attack against this vulnerability,” Lakhani said. “The most common is to connect to the MongoDB server through a website query or using a MongoDB client tool to connect to the server. The attacker puts in a regex string with an input field where MongoDB reads it and processes the input. As soon as it looks at the packet, the server is taken down.
“The risk is that system is down until services are restarted, and sometimes that requires manual intervention from an administrator,” Lakhani said.