MongoBleed Explained Simply

(bigdata.2minutestreaming.com)

105 points | by todsacerdoti 5 hours ago

10 comments

kentonv 3 hours ago
A few years back I patched the memory allocator used by the Cloudflare Workers runtime to overwrite all memory with a static byte pattern on free, so that uninitialized allocations contain nothing interesting.
We expected this to hurt performance, but we were unable to measure any impact in practice.
Everyone still working in memory-unsafe languages should really just do this IMO. It would have mitigated this Mongo bug.
[-]
- tombert 2 hours ago
  You know, I never even considered doing that but it makes sense; whatever overhead that's incurred by doing that static byte pattern is still almost certainly minuscule compared to the overhead of something like a garbage collector.
  [-]
  - ddtaylor 1 hour ago
    IMO the tradeoff that is important here is a few microseconds of time sanitizing the memory saves the millions of dollars of headache when memory unsafe languages fail (which happens regularly)
- dmitrygr 2 hours ago
  FYI, at least in C/C++, the compiler is free to throw away assignments to any memory pointed to by a pointer if said pointer is about to be passed to free(), so depending on how you did this, no perf impact could have been because your compiler removed the assignment. This will even affect a call to memset()
  see here: https://godbolt.org/z/rMa8MbYox
  [-]
  - shakna 2 hours ago
    However, if you recast to volatile, the compiler will keep it:
```
    #include <stdlib.h>
    #include <string.h>

    void free(void* ptr);
    void not_free(void* ptr);


    void test_with_free(char* ptr) {
        ptr[5] = 6;
        void *(* volatile memset_v)(void *s, int c, size_t n) = memset;
        memset_v(ptr + 2, 3, 4);
        free(ptr);
    }

    void test_with_other_func(char* ptr) {
        ptr[5] = 6;
        void *(* volatile memset_v)(void *s, int c, size_t n) = memset;
        memset_v(ptr + 2, 3, 4);
        not_free(ptr);
    }
```
    [-]
    - maxlybbert 1 hour ago
      Newer versions of C++ (and C, apparently) have functions so that the cast isn't necessary ( https://en.cppreference.com/w/c/string/byte/memset.html ).
plorkyeran 3 hours ago
The author seems to be unaware that Mongo internally develops in a private repo and commits are published later to the public one with https://github.com/google/copybara. All of the confusion around dates is due to this.
netsharc 9 minutes ago
> On Dec 24th, MongoDB reported they have no evidence of anybody exploiting the CVE
Absence of evidence is not evidence of absence...
[-]
- forrestthewoods 7 minutes ago
  What would you prefer them to say?
computerfan494 3 hours ago
The author of this post is incorrect about the timeline. Our Atlas clusters were upgraded days before the CVE was announced.
exabrial 1 hour ago
Why is anyone using mongo for literally anything
[-]
- mickael-kerjean 25 minutes ago
  because it is "web scale"
  ref: https://www.youtube.com/watch?v=b2F-DItXtZs
- Aldipower 36 minutes ago
  This is a nasty ad repositorium datorum argumentation which I cannot tolerate.
maxrmk 5 hours ago
How often are mongo instances exposed to the internet? I'm more of an SQL person and for those I know it's pretty uncommon, but does happen.
[-]
- petcat 4 hours ago
  From my experience, Mongo DB's entire raison d'etre is "laziness".
  * Don't worry about a schema.
  * Don't worry about persistence or durability.
  * Don't worry about reads or writes.
  * Don't worry about connectivity.
  This is basically the entire philosophy, so it's not surprising at all that users would also not worry about basic security.
  [-]
  - Thaxll 28 minutes ago
    Most of your points are wrong. Maybe only 1- is valid'ish.
  - aragilar 3 hours ago
    Not only that, but authentication is much harder than it needs to be to set up (and is off by default).
  - winrid 3 hours ago
    Although interestingly, for all the mongo deployments I managed, the first time I saw a cluster publicly exposed without SSL was postgres :)
  - ddtaylor 1 hour ago
    Ultimate webscale!
- hahahacorn 4 hours ago
  A highly cited reason for using mongo is that people would rather not figure out a schema. (N=3/3 for “serious” orgs I know using mongo).
  That sort of inclination to push off doing the right thing now to save yourself a headache down the line probably overlaps with “let’s just make the db publicly exposed” instead of doing the work of setting up an internal network to save yourself a headache down the line.
  [-]
  - TZubiri 4 hours ago
    I would have hoped that there would be no important data in mongoDB.
    But now we can at least be rest assured that the important data in mongoDB is just very hard to read with the lack of schemas.
    Probably all of that nasty "schema" work and tech debt will finally be done by hackers trying to make use of that information.
- wood_spirit 4 hours ago
  The article links to a shodan scan reporting 213K exposed instances https://www.shodan.io/search?query=Product%3A%22MongoDB%22
- ddtaylor 1 hour ago
  It could be because when you leave an SQL server exposed it often turns into much worse things. For example, without additional configuration, PostgreSQL will default into a configuration that can own the entire host machine. There is probably some obscure feature that allows system process management, uploading a shell script or something else that isn't disabled by default.
  The end result is "everyone" kind of knows that if you put a PostgreSQL instance up publicly facing without a password or with a weak/default password, it will be popped in minutes and you'll find out about it because the attackers are lazy and just running crypto-mine malware, etc.
- ok123456 3 hours ago
  For a long time, the default install had it binding to all interfaces and with authentication disabled.
- notepad0x90 2 hours ago
  often. lots of data leaks happened because of this. people spin it up in a cloud vm and forget it has a public ip all the time.
reassess_blind 34 minutes ago
Have all Atlas clusters been auto-updated with a fix?
whynotmaybe 4 hours ago
I'm still thinking about the hypothetical optimism brought by OWASP top 10 hoping that major flaws will be solved and that buffer overflow has been there since the beginning... in 2003.
[-]
- thrwaway55 2 hours ago
  I mean giving everyone footguns and you'll find that is unavoidable forever. Thoughts and prayers to the Mongo devs until we migrate to a language that prevents this error.
ChrisArchitect 43 minutes ago
Related:
MongoBleed
https://news.ycombinator.com/item?id=46394620