Security Question: Able to execute query without credentials while authentication is turned on

I recently upgraded to version 6.0 of MongoDB. The database server is running with authentication. We tested our server for vulnerabilities and discovered that we can query for and obtain MongoDB build details over port 27017 without security credentials. The expectation is that no information will be provided without authentication. We did not have this issue with version 5.

Are you sure?

I can get buildInfo on 4.4, 5.0 and 6.0 without authenticating first when mongod has authentication enabled.

There are a few commands that can run without authentication.

Script
// mongo --nodb thisScript.js
var ca = [
  m44=Mongo('mongodb://mongo44').getDB('admin'),
   m5=Mongo('mongodb://mongo5').getDB('admin'),
   m6=Mongo('mongodb://mongo6').getDB('admin'),
m60na=Mongo('mongodb://mongo6noauth').getDB('admin')
]

ca.forEach(c => {
  print("==========");
  print("Connection: ", c.getMongo());
  print("   Version: ", c.version()); 
  print("  Pre Auth: ", c.runCommand({connectionStatus:1}).authInfo);
  bi = c.serverBuildInfo();
  print(" BuildInfo: ", bi.version, bi.gitVersion);
  try {
    print("  HostInfo: ", c.hostInfo().os);
  } catch (error) {
    const { name, message } = error;
    print("  HostInfo: ", name, message);
  }
  c.auth('root','root');
  print("      Auth: ", c.runCommand({connectionStatus:1}).authInfo);
  print("  HostInfo: ", c.hostInfo().os);
  print("==========\n\n");
});

Output
==========
Connection:  mongodb://mongo44/?directConnection=true
   Version:  4.4.5
  Pre Auth:  { authenticatedUsers: [], authenticatedUserRoles: [] }
 BuildInfo:  4.4.5 ff5cb77101b052fa02da43b8538093486cf9b3f7
  HostInfo:  MongoServerError command hostInfo requires authentication
      Auth:  {
  authenticatedUsers: [ { user: 'root', db: 'admin' } ],
  authenticatedUserRoles: [ { role: 'root', db: 'admin' } ]
}
  HostInfo:  { type: 'Linux', name: 'Ubuntu', version: '18.04' }
==========


==========
Connection:  mongodb://mongo5/?directConnection=true
   Version:  5.0.2
  Pre Auth:  { authenticatedUsers: [], authenticatedUserRoles: [] }
 BuildInfo:  5.0.2 6d9ec525e78465dcecadcff99cce953d380fedc8
  HostInfo:  MongoServerError command hostInfo requires authentication
      Auth:  {
  authenticatedUsers: [ { user: 'root', db: 'admin' } ],
  authenticatedUserRoles: [ { role: 'root', db: 'admin' } ]
}
  HostInfo:  { type: 'Linux', name: 'Ubuntu', version: '20.04' }
==========


==========
Connection:  mongodb://mongo6/?directConnection=true
   Version:  6.0.2
  Pre Auth:  { authenticatedUsers: [], authenticatedUserRoles: [] }
 BuildInfo:  6.0.2 94fb7dfc8b974f1f5343e7ea394d0d9deedba50e
  HostInfo:  MongoServerError command hostInfo requires authentication
      Auth:  {
  authenticatedUsers: [ { user: 'root', db: 'admin' } ],
  authenticatedUserRoles: [ { role: 'root', db: 'admin' } ]
}
  HostInfo:  { type: 'Linux', name: 'Ubuntu', version: '20.04' }
==========
==========
Connection:  mongodb://mongo6noauth/?directConnection=true
   Version:  6.0.2
  Pre Auth:  { authenticatedUsers: [], authenticatedUserRoles: [] }
 BuildInfo:  6.0.2 94fb7dfc8b974f1f5343e7ea394d0d9deedba50e
  HostInfo:  { type: 'Linux', name: 'Ubuntu', version: '20.04' }
MongoServerError: Authentication failed.

2 Likes

2 posts were split to a new topic: I have created users but access control is not being enforced