Exposed MongoDB Database Without Access Control

Quick Summary

Exposed MongoDB Database Without Access Control is a critical misconfiguration where a MongoDB instance is accessible without authentication or proper network restrictions. This allows unauthorized users to connect to the database, read sensitive data, modify records, or delete entire databases.

Vulnerability Classification

FieldValue
Vulnerability TypeDatabase Service Misconfiguration
CWE IDCWE-306 – Missing Authentication for Critical Function
CVE IDN/A (Configuration Issue)
CVSS 4.0 Base Score9.4 (Critical)
CVSS VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H
OWASP CategoryA05:2021 – Security Misconfiguration
Attack SurfaceInternal / External Network

Affected Asset / Environment

  • Service: MongoDB
  • Default Port: 27017
  • Platforms: Linux Servers, Cloud Instances, Containers
  • Testing Method: Black-box / Internal Assessment
  • Tools Used: Nmap, mongo shell, Netcat

Description

The assessor observed that the MongoDB service running on the target system is exposed without enforcing authentication or IP-based restrictions. During testing, it was possible to connect to the database instance without valid credentials.

MongoDB is commonly used to store application data, user information, session data, and configuration details. When access control is not enabled, attackers may enumerate databases, extract sensitive data, modify records, or delete entire collections.

Exposed MongoDB instances have historically been targeted by automated scanning tools and ransomware campaigns that wipe and replace databases with ransom notes.

Root Cause

The issue occurs due to improper MongoDB configuration where authentication and authorization mechanisms are not enabled.

Common root causes include:

  • authorization not enabled in mongod configuration
  • Database bound to 0.0.0.0 (all interfaces)
  • No firewall restrictions on port 27017
  • Default deployment settings used in production
  • Lack of secure configuration baseline

Business Impact

Exploitation of this vulnerability may allow attackers to access confidential application data, including user credentials, personal information, and business records.

Attackers may also modify or delete critical data, resulting in service outages, data integrity issues, and financial losses. In severe cases, exposed MongoDB instances have been wiped entirely, leading to permanent data loss.

Such incidents may result in regulatory violations and reputational damage.

Technical Impact

An attacker can:

  • Connect to MongoDB without credentials
  • Enumerate available databases
  • Dump entire collections
  • Insert or modify records
  • Delete databases
  • Deploy ransomware notes within collections

This exposes the organization to complete data compromise.

Proof of Concept (PoC)

Step1: Identify MongoDB Service

nmap -sV -p 27017 <target-ip>

If port 27017 is open and identified as MongoDB, proceed to validation.

Step2: Attempt Direct Connection

mongo --host <target-ip> --port 27017

If connection is established without authentication, access control is not enforced.

Step3: Enumerate Databases

Inside MongoDB shell:

show dbs

If database names are displayed without authentication, the system is vulnerable.

Step4: Access a Specific Database

use <database-name>
show collections

If collections are listed without requiring credentials, unauthorized access is confirmed.

Step5: Validate Data Exposure

db.<collection-name>.find().limit(5)

If records are returned, sensitive data is exposed.

Exploitation Prerequisites

  • Network access to port 27017
  • MongoDB service running
  • Authentication not enabled
  • No IP-based access restriction

Remediation

It is recommended that MongoDB authentication and network restrictions be enforced immediately.

Recommended actions:

  • Enable authentication in MongoDB configuration
  • Create strong administrative users
  • Bind MongoDB to localhost or trusted internal IP addresses
  • Restrict port 27017 using firewall rules
  • Disable remote access if not required
  • Regularly audit database configurations

After applying changes, restart MongoDB service and verify authentication enforcement.

Detection and Monitoring

  • Monitor MongoDB logs for unauthorized connections
  • Alert on external access attempts to port 27017
  • Conduct periodic network scans
  • Implement network segmentation for database services

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *