NoSQL Means No Security?

A presentation at Devoxx Poland 2018 in June 2018 in Kraków, Poland by Philipp Krenn

DEVELOPER !

https://db-engines.com/en/ranking

Q:
https://sli.do/xeraa A:
https://twitter.com/xeraa

Injections

JavaScript Injection HTTP://WWW.KALZUMEUS.COM/2010/09/22/SECURITY-LESSONS-LEARNED-FROM-THE-DIASPORA-LAUNCH/ def self.search (query) Person.all( '$where' => "function() { return this.diaspora_handle.match(/^#{query}/i) || this.profile.first_name.match(/^#{query}/i) || this.profile.last_name.match(/^#{query}/i); }" ) end

Problem JS Evaluation $where db.eval() db.runCommand( { mapReduce : db.collection.group()

Solution JS Evaluation --noscripting OR security.javascriptEnabled: false

S ! rbrücker Cybersicherheits-Studenten entdecken bis zu 40.000 ungesicherte Datenbanken im Internet — http://www.uni-saarland.de/nc/aktuelles/artikel/nr/12173.html , Feb 2015

Ma ! ive ransomware a " ack takes out 27,000 MongoDB servers — http://www.techrepublic.com/article/massive-ransomware-attack- takes-out-27000-mongodb-servers/ , Jan 2017

Bound to a ! interfaces by default?

Authentication enabled by default?

Authentication & Authorization

Enable auth=true

<3.0 MONGODB CHALLENGE RESPONSE ( MONGODB-CR )

=3.0 IETF RFC 5802 ( SCRAM-SHA-1 ) =4.0
SCRAM-SHA-256

SCRAM-SHA-1 CONFIGURABLE iterationCount SALT PER USER INSTEAD OF SERVER SHA-1 INSTEAD OF MD5 SERVER AUTHENTICATES AGAINST THE CLIENT AS WELL

Predefined Roles read / readAnyDatabase readWrite / readWriteAnyDatabase dbAdmin / dbAdminAnyDatabase userAdmin / userAdminAnyDatabase dbOwner BACKUP, RESTORE, CLUSTER MANAGEMENT,...

=3.0 SSL INCLUDED (ALMOST) EVERYWHERE

Research shows 75% of ‘open’ Redis servers infected — https://www.incapsula.com/blog/report-75-of-open-redis-servers- are-infected.html , May 2018

Let’s crack Redis for fun and no profit at a ! given I’m the developer of this thing — http://antirez.com/news/96 , Nov 2015

Bound to a ! interfaces by default?

Protected Mode

=3.2.0 ANSWER LOCAL QUERIES RESPOND WITH AN ERROR FOR REMOTE

Authentication & Authorization

a tiny layer of authentication — http://redis.io/topics/security

AUTH <password> COMMAND PLAIN-TEXT PASSWORD IN REDIS.CONF NO (BUILT-IN) SSL OR RATE LIMITS

Hiding Co ! ands

SET IN REDIS.CONF RESET AFTER RESTART

rename-command CONFIG mysecretconfigname

rename-command CONFIG ""

PS: Don't Pa ! in Random Lua Scripts

Redis EVAL co ! and a " ows execution of Lua scripts, and such feature should be a " owed by default since is a fundamental Redis feature. — http://antirez.com/news/118 , Jun 2018

Redis Lua scripting: several security vulnerabilities fixed — http://antirez.com/news/119 , Jun 2018

Future

REDIS 6 ACL & TLS HTTP://ANTIREZ.COM/NEWS/118 , JUN 2018

Bound to a ! interfaces by default?

Broadcasting on the local subnet?

Ru ! ing as r " t?

Scripting

ELASTICSEARCH HTTPS://WWW.ELASTIC.CO/COMMUNITY/SECURITY CVE-2014-3120 (6.8): Dynamic scripting CVE-2014-6439 (4.3): CORS misconfiguration CVE-2015-1427 (6.8): Groovy sandbox escape CVE-2015-3337 (4.3): Directory traversal CVE-2015-4165 (3.3): File modifications CVE-2015-5377 (5.1): RCE related to Groovy CVE-2015-5531 (5.0): Directory traversal

ELASTICSEARCH HTTPS://WWW.ELASTIC.CO/COMMUNITY/SECURITY CVE-2014-3120 (6.8): Dynamic scripting CVE-2014-6439 (4.3): CORS misconfiguration CVE-2015-1427 (6.8): Groovy sandbox escape CVE-2015-3337 (4.3): Directory traversal CVE-2015-4165 (3.3): File modifications CVE-2015-5377 (5.1): RCE related to Groovy CVE-2015-5531 (5.0): Directory traversal

Painle !

HIRED DEVELOPER 1 YEAR DEVELOPMENT

Why build a brand new language when there are already so many to ch ! se from? — https://www.elastic.co/blog/painless-a-new-scripting-language

Goal SECURE & PERFORMANT

POST posts/doc/1/_update { "script": { "lang": "painless", "source": """ if(ctx._source.details.containsKey("plus_ones")) { ctx._source.details.plus_ones++; } else { ctx._source.details.plus_ones = 1; } """ } }

Painle ! DEFAULT GROOVY, PYTHON, JAVASCRIPT REMOVED IN 6.X

Authentication & Authorization

$ curl -XGET 'http://67.205.153.88:9200/_cat/indices' yellow open goal12 5 1 9397 0 27mb 27mb yellow open please_read 5 1 1 0 4.9kb 4.9kb yellow open un-webhose 5 1 2294 1 25.4mb 25.4mb yellow open goal11 5 1 4828 0 13.3mb 13.3mb

$ curl -XGET 'http://67.205.153.88:9200/please_read/_search?pretty' {
"took" : 1,
"timed_out" : false ,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0 },
"hits" : {
"total" : 1,
"max_score" : 1.0,
"hits" : [ {
"_index" : "please_read" ,
"_type" : "info" ,
"_id" : "AVm3qmXeus_FduwRD54v" ,
"_score" : 1.0,
"_source" : {
"Info" : "Your DB is Backed up at our servers, to restore send 0.5 BTC to the Bitcoin Address then send an email with your server ip" ,
"Bitcoin Address" : "12JNfaS2Gzic2vqzGMvDEo38MQSX1kDQrx" ,
"Email" : "elasticsearch@mail2tor.com" } } ] } }

Conclusion

Injections Are Sti ! a Thing

Enable Security by Default

Be Creative — Or Not

Custom Scripting Can Make Sense

Security Takes Time

Thanks! QUESTIONS? Philipp Kre ! 444 @xer "

Philipp Krenn
@xeraa

1 / 71

New systems are always interesting targets since their security model couldn’t mature yet. NoSQL databases are no exception and had some bad press about their security, but how does their protection actually look like? We will take a look at three widely used systems and their unique approaches:

MongoDB: Widely criticized for publicly accessible databases and a common victim of ransomware. Actually, it provides an elaborate authentication and authorization system, which we will cover from a historic perspective and put an emphasis on the current state.
Redis: Security through obscurity or how you can rename commands. And it features a unique tradeoff for binding to publicly accessible interfaces.
Elasticsearch: Groovy scripting has been a constant headache, but the new, custom-built scripting language Painless tries to take the pain away literally.

Video

Buzz and feedback

Here’s what was said about this presentation on social media.

Thank you @xeraa for your time and great discussion about #elk integration at #DevoxxPL pic.twitter.com/NogLhfBBue
— Roman Tsypuk (@tsypuk_r) June 21, 2018