Security

Is Mongodb vulnerable to outside manipulation?

Contributor

I came across several reports where MongoDB installations are being targeted in malware attacks. How can verify that MongoDB is secure and updated?

The reports state that this is a problem with installations open to the internet that do not have a password protected admin account, so I might be too paranoid. I just want to make sure.

Thanks

0 Karma
1 Solution

Contributor

I opened a support ticket because this could be an issue during our compliance audits.

Splunk answered -

(start)
MongoDB is only used by Splunk in this context, so here is almost no risk of malware as there needs to be some type of human interaction to achieve (and Splunk is the only user of MongoDB here).

However, we are constantly vigilant about any threats or vulnerabilities. Here is an example of how SSLv3 was vulnerable to the POODLE attack (inclusive of MongoDB) and how it can be mitigated.

Long story short, if you have SSLv3 turned on, then you could be vulnerable.
(end)

As I had SSLv3 on under \etc\system\default\web.conf (sslVersions = ssl3, tls), Changed to sslVersions = -ssl3, tls in \etc\system\local\web.conf.

Problem solved (fingers crossed).

View solution in original post

Contributor

I opened a support ticket because this could be an issue during our compliance audits.

Splunk answered -

(start)
MongoDB is only used by Splunk in this context, so here is almost no risk of malware as there needs to be some type of human interaction to achieve (and Splunk is the only user of MongoDB here).

However, we are constantly vigilant about any threats or vulnerabilities. Here is an example of how SSLv3 was vulnerable to the POODLE attack (inclusive of MongoDB) and how it can be mitigated.

Long story short, if you have SSLv3 turned on, then you could be vulnerable.
(end)

As I had SSLv3 on under \etc\system\default\web.conf (sslVersions = ssl3, tls), Changed to sslVersions = -ssl3, tls in \etc\system\local\web.conf.

Problem solved (fingers crossed).

View solution in original post

Splunk Employee
Splunk Employee

Hi @scottrunyon - Did your answer via Support provide a working solution to your question? If yes and you would like to close out your post, don't forget to click "Accept". But if you'd like to keep it open for possibilities of other answers, you don't have to take action on it yet. Thanks!

0 Karma

SplunkTrust
SplunkTrust

Have you tried connecting to port 8191 from the internet?

And yes, the splunk kvstore is just mongodb, and therefore susceptible to any MongoDB exploits. You could technically use it as a standard MongoDB for that matter. Although I dont know what the admin user/pass is that Splunk creates, I'm sure someone could figure it out easily.

2016-12-06T19:51:08.350Z I CONTROL [initandlisten] options: { net: { port: 8191, ssl: { PEMKeyFile: "C:\Program Files\Splunk\etc\auth\server.pem", PEMKeyPassword: "", allowInvalidHostnames: true, mode: "preferSSL" } }, replication: { oplogSizeMB: 200, replSet: "ADC39FAB-8C0B-43B9-A1A1-506893E94B42" }, security: { javascriptEnabled: false, keyFile: "C:\Program Files\Splunk\var\lib\splunk\kvstore\mongo\splunk.key" }, setParameter: { enableLocalhostAuthBypass: "0" }, storage: { dbPath: "C:\Program Files\Splunk\var\lib\splunk\kvstore\mongo", mmapv1: { smallFiles: true } }, systemLog: { timeStampFormat: "iso8601-utc" } }

2016-12-06T19:55:38.745Z I ACCESS [conn1] Successfully authenticated as principal __system on local

This is from my mongo.log... Looks like it's using some auth method like the computer that starts mongo has access only...

0 Karma

SplunkTrust
SplunkTrust

I tried like hell to access the MongoDB using Python libs etc. I couldn't figure out authentication to save my life. Sorry I'm not very helpful here.

0 Karma

Contributor

As my installations are behind firewalls and should only be accessible by my local 10.0.0.0 network, connecting to port 8196 should not be possible from the internet however there are a lot of people that are smarter then me.

As for the admin password, when the Splunk installation is installed, does it modify the MongoDB configuration using a default admin PW or is that changed?

Regards.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!