N0whereN0WHERE:159714MongoDB Security Audit: mongoaudit
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.657 Medium
EPSS
Percentile
97.6%
MongoDB Security Audit
mongoaudit is a CLI tool for auditing MongoDB servers, detecting poor security settings and performing automated penetration testing. It is widely known that there are quite a few holes in MongoDB’s default configuration settings. This fact, combined with abundant lazy system administrators and developers, has led to what the press has called the _ MongoDB apocalypse _ . mongoaudit not only detects misconfigurations, known vulnerabilities and bugs but also gives you advice on how to fix them, recommends best practices and teaches you how to DevOp like a pro!
Among other tests, it checks if:
- MongoDB listens on a port different to default one
- MongoDB HTTP status interface is disabled
- TLS/SSL encryption is enabled
- Authentication is enabled
- SCRAM-SHA-1 authentication method is enabled
- Server-side Javascript is forbidden
- Roles granted to the user only permit CRUD operations
- The user has permissions over a single database
- The server is vulnerable to a dozen of different known security bugs
Installing with pip
This is the recommended installation method in case you have python and pip .
pip install mongoaudit
Alternative installer
Use this if and only if python and pip are not available on your platform.
curl -s https://mongoaud.it/install | bash
_ works on Mac OS X, GNU/Linux and Bash for Windows 10 _
_ If you are serious about security you should always use the PIP installer or, better yet, follow best security practices: clone this repository, check the source code and only then run it with python mongoaudit . _
Supported tests
- MongoDB listens on a port different to default one
- Server only accepts connections from whitelisted hosts / networks
- MongoDB HTTP status interface is not accessible on port 28017
- MongoDB is not exposing its version number
- MongoDB version is newer than 2.4
- TLS/SSL encryption is enabled
- Authentication is enabled
- SCRAM-SHA-1 authentication method is enabled
- Server-side Javascript is forbidden
- Roles granted to the user only permit CRUD operations *
- The user has permissions over a single database *
- Security bug CVE-2015-7882
- Security bug CVE-2015-2705
- Security bug CVE-2014-8964
- Security bug CVE-2015-1609
- Security bug CVE-2014-3971
- Security bug CVE-2014-2917
- Security bug CVE-2013-4650
- Security bug CVE-2013-3969
- Security bug CVE-2012-6619
- Security bug CVE-2013-1892
- Security bug CVE-2013-2132
_ Tests marked with an asterisk ( * ) require valid authentication credentials. _
References
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.657 Medium
EPSS
Percentile
97.6%