I recently upgraded to version 6.0 of MongoDB. The database server is running with authentication. We tested our server for vulnerabilities and discovered that we can query for and obtain MongoDB build details over port 27017 without security credentials. The expectation is that no information will be provided without authentication. We did not have this issue with version 5.
Are you sure?
I can get buildInfo on 4.4, 5.0 and 6.0 without authenticating first when mongod has authentication enabled.
There are a few commands that can run without authentication.
Script
// mongo --nodb thisScript.js
var ca = [
m44=Mongo('mongodb://mongo44').getDB('admin'),
m5=Mongo('mongodb://mongo5').getDB('admin'),
m6=Mongo('mongodb://mongo6').getDB('admin'),
m60na=Mongo('mongodb://mongo6noauth').getDB('admin')
]
ca.forEach(c => {
print("==========");
print("Connection: ", c.getMongo());
print(" Version: ", c.version());
print(" Pre Auth: ", c.runCommand({connectionStatus:1}).authInfo);
bi = c.serverBuildInfo();
print(" BuildInfo: ", bi.version, bi.gitVersion);
try {
print(" HostInfo: ", c.hostInfo().os);
} catch (error) {
const { name, message } = error;
print(" HostInfo: ", name, message);
}
c.auth('root','root');
print(" Auth: ", c.runCommand({connectionStatus:1}).authInfo);
print(" HostInfo: ", c.hostInfo().os);
print("==========\n\n");
});
Output
==========
Connection: mongodb://mongo44/?directConnection=true
Version: 4.4.5
Pre Auth: { authenticatedUsers: [], authenticatedUserRoles: [] }
BuildInfo: 4.4.5 ff5cb77101b052fa02da43b8538093486cf9b3f7
HostInfo: MongoServerError command hostInfo requires authentication
Auth: {
authenticatedUsers: [ { user: 'root', db: 'admin' } ],
authenticatedUserRoles: [ { role: 'root', db: 'admin' } ]
}
HostInfo: { type: 'Linux', name: 'Ubuntu', version: '18.04' }
==========
==========
Connection: mongodb://mongo5/?directConnection=true
Version: 5.0.2
Pre Auth: { authenticatedUsers: [], authenticatedUserRoles: [] }
BuildInfo: 5.0.2 6d9ec525e78465dcecadcff99cce953d380fedc8
HostInfo: MongoServerError command hostInfo requires authentication
Auth: {
authenticatedUsers: [ { user: 'root', db: 'admin' } ],
authenticatedUserRoles: [ { role: 'root', db: 'admin' } ]
}
HostInfo: { type: 'Linux', name: 'Ubuntu', version: '20.04' }
==========
==========
Connection: mongodb://mongo6/?directConnection=true
Version: 6.0.2
Pre Auth: { authenticatedUsers: [], authenticatedUserRoles: [] }
BuildInfo: 6.0.2 94fb7dfc8b974f1f5343e7ea394d0d9deedba50e
HostInfo: MongoServerError command hostInfo requires authentication
Auth: {
authenticatedUsers: [ { user: 'root', db: 'admin' } ],
authenticatedUserRoles: [ { role: 'root', db: 'admin' } ]
}
HostInfo: { type: 'Linux', name: 'Ubuntu', version: '20.04' }
==========
==========
Connection: mongodb://mongo6noauth/?directConnection=true
Version: 6.0.2
Pre Auth: { authenticatedUsers: [], authenticatedUserRoles: [] }
BuildInfo: 6.0.2 94fb7dfc8b974f1f5343e7ea394d0d9deedba50e
HostInfo: { type: 'Linux', name: 'Ubuntu', version: '20.04' }
MongoServerError: Authentication failed.
2 Likes