NoSQL Means No Security?

DEVELOPER !

https://db-engines.com/en/ranking

Q:

https://sli.do/xeraa A:

https://twitter.com/xeraa

Injections

JavaScript Injection HTTP://WWW.KALZUMEUS.COM/2010/09/22/SECURITY-LESSONS-LEARNED-FROM-THE-DIASPORA-LAUNCH/ def self.search (query) Person.all( '$where' => "function() { return this.diaspora_handle.match(/^#{query}/i) || this.profile.first_name.match(/^#{query}/i) || this.profile.last_name.match(/^#{query}/i); }" ) end

Problem JS Evaluation $where db.eval() db.runCommand( { mapReduce : db.collection.group()

Solution JS Evaluation --noscripting OR security.javascriptEnabled: false

S ! rbrücker Cybersicherheits-Studenten entdecken bis zu 40.000 ungesicherte Datenbanken im Internet — http://www.uni-saarland.de/nc/aktuelles/artikel/nr/12173.html , Feb 2015

Ma ! ive ransomware a " ack takes out 27,000 MongoDB servers — http://www.techrepublic.com/article/massive-ransomware-attack- takes-out-27000-mongodb-servers/ , Jan 2017

Bound to a ! interfaces by default?

Authentication enabled by default?

Authentication & Authorization

Enable auth=true

<3.0 MONGODB CHALLENGE RESPONSE ( MONGODB-CR )

=3.0 IETF RFC 5802 ( SCRAM-SHA-1 ) =4.0

SCRAM-SHA-256

SCRAM-SHA-1 CONFIGURABLE iterationCount SALT PER USER INSTEAD OF SERVER SHA-1 INSTEAD OF MD5 SERVER AUTHENTICATES AGAINST THE CLIENT AS WELL

Predefined Roles read / readAnyDatabase readWrite / readWriteAnyDatabase dbAdmin / dbAdminAnyDatabase userAdmin / userAdminAnyDatabase dbOwner BACKUP, RESTORE, CLUSTER MANAGEMENT,...

=3.0 SSL INCLUDED (ALMOST) EVERYWHERE

Research shows 75% of ‘open’ Redis servers infected — https://www.incapsula.com/blog/report-75-of-open-redis-servers- are-infected.html , May 2018

Let’s crack Redis for fun and no profit at a ! given I’m the developer of this thing — http://antirez.com/news/96 , Nov 2015

Bound to a ! interfaces by default?

Protected Mode

=3.2.0 ANSWER LOCAL QUERIES RESPOND WITH AN ERROR FOR REMOTE

Authentication & Authorization

a tiny layer of authentication — http://redis.io/topics/security

AUTH <password> COMMAND PLAIN-TEXT PASSWORD IN REDIS.CONF NO (BUILT-IN) SSL OR RATE LIMITS

Hiding Co ! ands

SET IN REDIS.CONF RESET AFTER RESTART

rename-command CONFIG mysecretconfigname

rename-command CONFIG ""

PS: Don't Pa ! in Random Lua Scripts

Redis EVAL co ! and a " ows execution of Lua scripts, and such feature should be a " owed by default since is a fundamental Redis feature. — http://antirez.com/news/118 , Jun 2018

Redis Lua scripting: several security vulnerabilities fixed — http://antirez.com/news/119 , Jun 2018

Future

REDIS 6 ACL & TLS HTTP://ANTIREZ.COM/NEWS/118 , JUN 2018

Bound to a ! interfaces by default?

Broadcasting on the local subnet?

Ru ! ing as r " t?

Scripting

ELASTICSEARCH HTTPS://WWW.ELASTIC.CO/COMMUNITY/SECURITY CVE-2014-3120 (6.8): Dynamic scripting CVE-2014-6439 (4.3): CORS misconfiguration CVE-2015-1427 (6.8): Groovy sandbox escape CVE-2015-3337 (4.3): Directory traversal CVE-2015-4165 (3.3): File modifications CVE-2015-5377 (5.1): RCE related to Groovy CVE-2015-5531 (5.0): Directory traversal

ELASTICSEARCH HTTPS://WWW.ELASTIC.CO/COMMUNITY/SECURITY CVE-2014-3120 (6.8): Dynamic scripting CVE-2014-6439 (4.3): CORS misconfiguration CVE-2015-1427 (6.8): Groovy sandbox escape CVE-2015-3337 (4.3): Directory traversal CVE-2015-4165 (3.3): File modifications CVE-2015-5377 (5.1): RCE related to Groovy CVE-2015-5531 (5.0): Directory traversal

Painle !

HIRED DEVELOPER 1 YEAR DEVELOPMENT

Why build a brand new language when there are already so many to ch ! se from? — https://www.elastic.co/blog/painless-a-new-scripting-language

Goal SECURE & PERFORMANT

POST posts/doc/1/_update { "script": { "lang": "painless", "source": """ if(ctx._source.details.containsKey("plus_ones")) { ctx._source.details.plus_ones++; } else { ctx._source.details.plus_ones = 1; } """ } }

Painle ! DEFAULT GROOVY, PYTHON, JAVASCRIPT REMOVED IN 6.X

Authentication & Authorization

$ curl -XGET 'http://67.205.153.88:9200/_cat/indices' yellow open goal12 5 1 9397 0 27mb 27mb yellow open please_read 5 1 1 0 4.9kb 4.9kb yellow open un-webhose 5 1 2294 1 25.4mb 25.4mb yellow open goal11 5 1 4828 0 13.3mb 13.3mb

$ curl -XGET 'http://67.205.153.88:9200/please_read/_search?pretty' {

"took" : 1,

"timed_out" : false ,

"_shards" : {

"total" : 5,

"successful" : 5,

"failed" : 0 },

"hits" : {

"total" : 1,

"max_score" : 1.0,

"hits" : [ {

"_index" : "please_read" ,

"_type" : "info" ,

"_id" : "AVm3qmXeus_FduwRD54v" ,

"_score" : 1.0,

"_source" : {

"Info" : "Your DB is Backed up at our servers, to restore send 0.5 BTC to the Bitcoin Address then send an email with your server ip" ,

"Bitcoin Address" : "12JNfaS2Gzic2vqzGMvDEo38MQSX1kDQrx" ,

"Email" : "elasticsearch@mail2tor.com" } } ] } }

Conclusion

Injections Are Sti ! a Thing

Enable Security by Default

Be Creative — Or Not

Custom Scripting Can Make Sense

Security Takes Time

Thanks! QUESTIONS? Philipp Kre ! 444 @xer "