NoSQL Means No Security?

A presentation at Devoxx Poland 2018 in June 2018 in Kraków, Poland by Philipp Krenn

Slide 1

Slide 1

Slide 2

Slide 2

DEVELOPER !

Slide 3

Slide 3

https://db-engines.com/en/ranking

Slide 4

Slide 4

Slide 5

Slide 5

Q:

https://sli.do/xeraa A:

https://twitter.com/xeraa

Slide 6

Slide 6

Slide 7

Slide 7

Slide 8

Slide 8

Slide 9

Slide 9

Slide 10

Slide 10

Injections

Slide 11

Slide 11

JavaScript Injection HTTP://WWW.KALZUMEUS.COM/2010/09/22/SECURITY-LESSONS-LEARNED-FROM-THE-DIASPORA-LAUNCH/ def self.search (query) Person.all( '$where' => "function() { return this.diaspora_handle.match(/^#{query}/i) || this.profile.first_name.match(/^#{query}/i) || this.profile.last_name.match(/^#{query}/i); }" ) end

Slide 12

Slide 12

Problem JS Evaluation $where db.eval() db.runCommand( { mapReduce : db.collection.group()

Slide 13

Slide 13

Solution JS Evaluation --noscripting OR security.javascriptEnabled: false

Slide 14

Slide 14

S ! rbrücker Cybersicherheits-Studenten entdecken bis zu 40.000 ungesicherte Datenbanken im Internet — http://www.uni-saarland.de/nc/aktuelles/artikel/nr/12173.html , Feb 2015

Slide 15

Slide 15

Ma ! ive ransomware a " ack takes out 27,000 MongoDB servers — http://www.techrepublic.com/article/massive-ransomware-attack- takes-out-27000-mongodb-servers/ , Jan 2017

Slide 16

Slide 16

Bound to a ! interfaces by default?

Slide 17

Slide 17

Slide 18

Slide 18

Authentication enabled by default?

Slide 19

Slide 19

Authentication & Authorization

Slide 20

Slide 20

Enable auth=true

Slide 21

Slide 21

<3.0 MONGODB CHALLENGE RESPONSE ( MONGODB-CR )

Slide 22

Slide 22

=3.0 IETF RFC 5802 ( SCRAM-SHA-1 ) =4.0

SCRAM-SHA-256

Slide 23

Slide 23

SCRAM-SHA-1 CONFIGURABLE iterationCount SALT PER USER INSTEAD OF SERVER SHA-1 INSTEAD OF MD5 SERVER AUTHENTICATES AGAINST THE CLIENT AS WELL

Slide 24

Slide 24

Predefined Roles read / readAnyDatabase readWrite / readWriteAnyDatabase dbAdmin / dbAdminAnyDatabase userAdmin / userAdminAnyDatabase dbOwner BACKUP, RESTORE, CLUSTER MANAGEMENT,...

Slide 25

Slide 25

Slide 26

Slide 26

=3.0 SSL INCLUDED (ALMOST) EVERYWHERE

Slide 27

Slide 27

Slide 28

Slide 28

Research shows 75% of ‘open’ Redis servers infected — https://www.incapsula.com/blog/report-75-of-open-redis-servers- are-infected.html , May 2018

Slide 29

Slide 29

Let’s crack Redis for fun and no profit at a ! given I’m the developer of this thing — http://antirez.com/news/96 , Nov 2015

Slide 30

Slide 30

Bound to a ! interfaces by default?

Slide 31

Slide 31

Protected Mode

Slide 32

Slide 32

=3.2.0 ANSWER LOCAL QUERIES RESPOND WITH AN ERROR FOR REMOTE

Slide 33

Slide 33

Authentication & Authorization

Slide 34

Slide 34

a tiny layer of authentication — http://redis.io/topics/security

Slide 35

Slide 35

AUTH <password> COMMAND PLAIN-TEXT PASSWORD IN REDIS.CONF NO (BUILT-IN) SSL OR RATE LIMITS

Slide 36

Slide 36

Hiding Co ! ands

Slide 37

Slide 37

SET IN REDIS.CONF RESET AFTER RESTART

Slide 38

Slide 38

rename-command CONFIG mysecretconfigname

Slide 39

Slide 39

rename-command CONFIG ""

Slide 40

Slide 40

PS: Don't Pa ! in Random Lua Scripts

Slide 41

Slide 41

Redis EVAL co ! and a " ows execution of Lua scripts, and such feature should be a " owed by default since is a fundamental Redis feature. — http://antirez.com/news/118 , Jun 2018

Slide 42

Slide 42

Redis Lua scripting: several security vulnerabilities fixed — http://antirez.com/news/119 , Jun 2018

Slide 43

Slide 43

Future

Slide 44

Slide 44

REDIS 6 ACL & TLS HTTP://ANTIREZ.COM/NEWS/118 , JUN 2018

Slide 45

Slide 45

Slide 46

Slide 46

Bound to a ! interfaces by default?

Slide 47

Slide 47

Broadcasting on the local subnet?

Slide 48

Slide 48

Ru ! ing as r " t?

Slide 49

Slide 49

Scripting

Slide 50

Slide 50

ELASTICSEARCH HTTPS://WWW.ELASTIC.CO/COMMUNITY/SECURITY CVE-2014-3120 (6.8): Dynamic scripting CVE-2014-6439 (4.3): CORS misconfiguration CVE-2015-1427 (6.8): Groovy sandbox escape CVE-2015-3337 (4.3): Directory traversal CVE-2015-4165 (3.3): File modifications CVE-2015-5377 (5.1): RCE related to Groovy CVE-2015-5531 (5.0): Directory traversal

Slide 51

Slide 51

ELASTICSEARCH HTTPS://WWW.ELASTIC.CO/COMMUNITY/SECURITY CVE-2014-3120 (6.8): Dynamic scripting CVE-2014-6439 (4.3): CORS misconfiguration CVE-2015-1427 (6.8): Groovy sandbox escape CVE-2015-3337 (4.3): Directory traversal CVE-2015-4165 (3.3): File modifications CVE-2015-5377 (5.1): RCE related to Groovy CVE-2015-5531 (5.0): Directory traversal

Slide 52

Slide 52

Painle !

Slide 53

Slide 53

HIRED DEVELOPER 1 YEAR DEVELOPMENT

Slide 54

Slide 54

Why build a brand new language when there are already so many to ch ! se from? — https://www.elastic.co/blog/painless-a-new-scripting-language

Slide 55

Slide 55

Goal SECURE & PERFORMANT

Slide 56

Slide 56

POST posts/doc/1/_update { "script": { "lang": "painless", "source": """ if(ctx._source.details.containsKey("plus_ones")) { ctx._source.details.plus_ones++; } else { ctx._source.details.plus_ones = 1; } """ } }

Slide 57

Slide 57

Painle ! DEFAULT GROOVY, PYTHON, JAVASCRIPT REMOVED IN 6.X

Slide 58

Slide 58

Authentication & Authorization

Slide 59

Slide 59

Slide 60

Slide 60

$ curl -XGET 'http://67.205.153.88:9200/_cat/indices' yellow open goal12 5 1 9397 0 27mb 27mb yellow open please_read 5 1 1 0 4.9kb 4.9kb yellow open un-webhose 5 1 2294 1 25.4mb 25.4mb yellow open goal11 5 1 4828 0 13.3mb 13.3mb

Slide 61

Slide 61

$ curl -XGET 'http://67.205.153.88:9200/please_read/_search?pretty' {

"took" : 1,

"timed_out" : false ,

"_shards" : {

"total" : 5,

"successful" : 5,

"failed" : 0 },

"hits" : {

"total" : 1,

"max_score" : 1.0,

"hits" : [ {

"_index" : "please_read" ,

"_type" : "info" ,

"_id" : "AVm3qmXeus_FduwRD54v" ,

"_score" : 1.0,

"_source" : {

"Info" : "Your DB is Backed up at our servers, to restore send 0.5 BTC to the Bitcoin Address then send an email with your server ip" ,

"Bitcoin Address" : "12JNfaS2Gzic2vqzGMvDEo38MQSX1kDQrx" ,

"Email" : "elasticsearch@mail2tor.com" } } ] } }

Slide 62

Slide 62

Slide 63

Slide 63

Slide 64

Slide 64

Slide 65

Slide 65

Conclusion

Slide 66

Slide 66

Injections Are Sti ! a Thing

Slide 67

Slide 67

Enable Security by Default

Slide 68

Slide 68

Be Creative — Or Not

Slide 69

Slide 69

Custom Scripting Can Make Sense

Slide 70

Slide 70

Security Takes Time

Slide 71

Slide 71

Thanks! QUESTIONS? Philipp Kre ! 444 @xer "