Slide 1
Slide 2
DEVELOPER
Slide 3
https://db-engines.com/en/ranking
Slide 4
Slide 5
Slide 6
Slide 7
Slide 8
Slide 9
Slide 10
Injections
Slide 11
JavaScript Injection HTTP://WWW.KALZUMEUS.COM/2010/09/22/SECURITY-LESSONS-LEARNED-FROM-THE-DIASPORA-LAUNCH/ def self.search(query) Person.all('$where' => "function() { return this.diaspora_handle.match(/^#{query}/i) || this.profile.first_name.match(/^#{query}/i) || this.profile.last_name.match(/^#{query}/i); }") end
Slide 12
Problem JS Evaluation $where db.eval() db.runCommand( { mapReduce: db.collection.group()
Slide 13
Solution JS Evaluation --noscripting OR security.javascriptEnabled: false
Slide 14
Saarbrücker Cybersicherheits-Studenten entdecken bis zu 40.000 ungesicherte Datenbanken im Internet — http://www.uni-saarland.de/nc/aktuelles/artikel/nr/12173.html, Feb 2015
Slide 15
Massive ransomware attack takes out 27,000 MongoDB servers — http://www.techrepublic.com/article/massive-ransomware-attacktakes-out-27000-mongodb-servers/, Jan 2017
Slide 16
Bound to all interfaces by default?
Slide 17
Slide 18
Authentication enabled by default?
Slide 19
Authentication & Authorization
Slide 20
Enable auth=true
Slide 21
<3.0 MONGODB CHALLENGE RESPONSE (MONGODB-CR)
Slide 22
=3.0 IETF RFC 5802 (SCRAM-SHA-1) >=4.0 SCRAM-SHA-256
Slide 23
SCRAM-SHA-1 CONFIGURABLE iterationCount SALT PER USER INSTEAD OF SERVER SHA-1 INSTEAD OF MD5 SERVER AUTHENTICATES AGAINST THE CLIENT AS WELL
Slide 24
Predefined Roles read / readAnyDatabase readWrite / readWriteAnyDatabase dbAdmin / dbAdminAnyDatabase userAdmin / userAdminAnyDatabase dbOwner BACKUP, RESTORE, CLUSTER MANAGEMENT,...
Slide 25
Slide 26
=3.0 SSL INCLUDED (ALMOST) EVERYWHERE
Slide 27
Slide 28
Research shows 75% of ‘open’ Redis servers infected — https://www.incapsula.com/blog/report-75-of-open-redis-serversare-infected.html, May 2018
Slide 29
Let’s crack Redis for fun and no profit at all given I’m the developer of this thing — http://antirez.com/news/96, Nov 2015
Slide 30
Bound to all interfaces by default?
Slide 31
Protected Mode
Slide 32
=3.2.0 ANSWER LOCAL QUERIES RESPOND WITH AN ERROR FOR REMOTE
Slide 33
Authentication & Authorization
Slide 34
a tiny layer of authentication — http://redis.io/topics/security
Slide 35
AUTH <password> COMMAND PLAIN-TEXT PASSWORD IN REDIS.CONF NO (BUILT-IN) SSL OR RATE LIMITS
Slide 36
Hiding Commands
Slide 37
SET IN REDIS.CONF RESET AFTER RESTART
Slide 38
rename-command CONFIG mysecretconfigname
Slide 39
rename-command CONFIG ""
Slide 40
PS: Don't Pass in Random Lua Scripts
Slide 41
Redis EVAL command allows execution of Lua scripts, and such feature should be allowed by default since is a fundamental Redis feature. — http://antirez.com/news/118, Jun 2018
Slide 42
Redis Lua scripting: several security vulnerabilities fixed — http://antirez.com/news/119, Jun 2018
Slide 43
Future
Slide 44
REDIS 6 ACL & TLS HTTP://ANTIREZ.COM/NEWS/118, JUN 2018
Slide 45
Slide 46
Bound to all interfaces by default?
Slide 47
Broadcasting on the local subnet?
Slide 48
Running as root?
Slide 49
Scripting
Slide 50
ELASTICSEARCH HTTPS://WWW.ELASTIC.CO/COMMUNITY/SECURITY CVE-2014-3120 CVE-2014-6439 CVE-2015-1427 CVE-2015-3337 CVE-2015-4165 CVE-2015-5377 CVE-2015-5531 CVE-2018-3826 (6.8): (4.3): (6.8): (4.3): (3.3): (5.1): (5.0): (X.X): Dynamic scripting CORS misconfiguration Groovy sandbox escape Directory traversal File modifications RCE related to Groovy Directory traversal Disclosure flaw
Slide 51
ELASTICSEARCH HTTPS://WWW.ELASTIC.CO/COMMUNITY/SECURITY CVE-2014-3120 CVE-2014-6439 CVE-2015-1427 CVE-2015-3337 CVE-2015-4165 CVE-2015-5377 CVE-2015-5531 CVE-2018-3826 (6.8): (4.3): (6.8): (4.3): (3.3): (5.1): (5.0): (X.X): Dynamic scripting CORS misconfiguration Groovy sandbox escape Directory traversal File modifications RCE related to Groovy Directory traversal Disclosure flaw
Slide 52
Painless
Slide 53
HIRED DEVELOPER 1 YEAR DEVELOPMENT
Slide 54
Why build a brand new language when there are already so many to choose from? — https://www.elastic.co/blog/painless-a-new-scripting-language
Slide 55
Goal SECURE & PERFORMANT
Slide 56
POST posts/doc/1/_update { "script": { "lang": "painless", "source": """ if(ctx._source.details.containsKey("plus_ones")) { ctx._source.details.plus_ones++; } else { ctx._source.details.plus_ones = 1; } """ } }
Slide 57
Painless DEFAULT GROOVY, PYTHON, JAVASCRIPT REMOVED IN 6.X
Slide 58
Authentication & Authorization
Slide 59
Slide 60
$ curl yellow yellow yellow yellow -XGET 'http://67.205.153.88:9200/_cat/indices' open goal12 5 1 9397 0 27mb 27mb open please_read 5 1 1 0 4.9kb 4.9kb open un-webhose 5 1 2294 1 25.4mb 25.4mb open goal11 5 1 4828 0 13.3mb 13.3mb
Slide 61
$ curl -XGET 'http://67.205.153.88:9200/please_read/_search?pretty' { "took" : 1, "timed_out" : false, "_shards" : { "total" : 5, "successful" : 5, "failed" : 0 }, "hits" : { "total" : 1, "max_score" : 1.0, "hits" : [ { "_index" : "please_read", "_type" : "info", "_id" : "AVm3qmXeus_FduwRD54v", "_score" : 1.0, "_source" : { "Info" : "Your DB is Backed up at our servers, to restore send 0.5 BTC to the Bitcoin Address then send an email with your server ip", "Bitcoin Address" : "12JNfaS2Gzic2vqzGMvDEo38MQSX1kDQrx", "Email" : "elasticsearch@mail2tor.com" } } ] } }
Slide 62
Slide 63
Slide 64
Slide 65
Conclusion
Slide 66
Injections Are Still a Thing
Slide 67
Enable Security by Default
Slide 68
Be Creative — Or Not
Slide 69
Custom Scripting Can Make Sense
Slide 70
Security Takes Time
Slide 71
Thanks! QUESTIONS? Philipp Krenn @xeraa
