Security

Is Mongodb vulnerable to outside manipulation?

scottrunyon
Contributor

I came across several reports where MongoDB installations are being targeted in malware attacks. How can verify that MongoDB is secure and updated?

The reports state that this is a problem with installations open to the internet that do not have a password protected admin account, so I might be too paranoid. I just want to make sure.

Thanks

0 Karma
1 Solution

scottrunyon
Contributor

I opened a support ticket because this could be an issue during our compliance audits.

Splunk answered -

(start)
MongoDB is only used by Splunk in this context, so here is almost no risk of malware as there needs to be some type of human interaction to achieve (and Splunk is the only user of MongoDB here).

However, we are constantly vigilant about any threats or vulnerabilities. Here is an example of how SSLv3 was vulnerable to the POODLE attack (inclusive of MongoDB) and how it can be mitigated.

Long story short, if you have SSLv3 turned on, then you could be vulnerable.
(end)

As I had SSLv3 on under \etc\system\default\web.conf (sslVersions = ssl3, tls), Changed to sslVersions = -ssl3, tls in \etc\system\local\web.conf.

Problem solved (fingers crossed).

View solution in original post

scottrunyon
Contributor

I opened a support ticket because this could be an issue during our compliance audits.

Splunk answered -

(start)
MongoDB is only used by Splunk in this context, so here is almost no risk of malware as there needs to be some type of human interaction to achieve (and Splunk is the only user of MongoDB here).

However, we are constantly vigilant about any threats or vulnerabilities. Here is an example of how SSLv3 was vulnerable to the POODLE attack (inclusive of MongoDB) and how it can be mitigated.

Long story short, if you have SSLv3 turned on, then you could be vulnerable.
(end)

As I had SSLv3 on under \etc\system\default\web.conf (sslVersions = ssl3, tls), Changed to sslVersions = -ssl3, tls in \etc\system\local\web.conf.

Problem solved (fingers crossed).

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @scottrunyon - Did your answer via Support provide a working solution to your question? If yes and you would like to close out your post, don't forget to click "Accept". But if you'd like to keep it open for possibilities of other answers, you don't have to take action on it yet. Thanks!

0 Karma

jkat54
SplunkTrust
SplunkTrust

Have you tried connecting to port 8191 from the internet?

And yes, the splunk kvstore is just mongodb, and therefore susceptible to any MongoDB exploits. You could technically use it as a standard MongoDB for that matter. Although I dont know what the admin user/pass is that Splunk creates, I'm sure someone could figure it out easily.

2016-12-06T19:51:08.350Z I CONTROL [initandlisten] options: { net: { port: 8191, ssl: { PEMKeyFile: "C:\Program Files\Splunk\etc\auth\server.pem", PEMKeyPassword: "", allowInvalidHostnames: true, mode: "preferSSL" } }, replication: { oplogSizeMB: 200, replSet: "ADC39FAB-8C0B-43B9-A1A1-506893E94B42" }, security: { javascriptEnabled: false, keyFile: "C:\Program Files\Splunk\var\lib\splunk\kvstore\mongo\splunk.key" }, setParameter: { enableLocalhostAuthBypass: "0" }, storage: { dbPath: "C:\Program Files\Splunk\var\lib\splunk\kvstore\mongo", mmapv1: { smallFiles: true } }, systemLog: { timeStampFormat: "iso8601-utc" } }

2016-12-06T19:55:38.745Z I ACCESS [conn1] Successfully authenticated as principal __system on local

This is from my mongo.log... Looks like it's using some auth method like the computer that starts mongo has access only...

0 Karma

jkat54
SplunkTrust
SplunkTrust

I tried like hell to access the MongoDB using Python libs etc. I couldn't figure out authentication to save my life. Sorry I'm not very helpful here.

0 Karma

scottrunyon
Contributor

As my installations are behind firewalls and should only be accessible by my local 10.0.0.0 network, connecting to port 8196 should not be possible from the internet however there are a lot of people that are smarter then me.

As for the admin password, when the Splunk installation is installed, does it modify the MongoDB configuration using a default admin PW or is that changed?

Regards.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...