MongoBleed Explained Simply

6 comments

• plorkyeran 2 hours ago
  The author seems to be unaware that Mongo internally develops in a private repo and commits are published later to the public one with https://github.com/google/copybara. All of the confusion around dates is due to this.
• kentonv 2 hours ago
  A few years back I patched the memory allocator used by the Cloudflare Workers runtime to overwrite all memory with a static byte pattern on free, so that uninitialized allocations contain nothing interesting.

  We expected this to hurt performance, but we were unable to measure any impact in practice.

  Everyone still working in memory-unsafe languages should really just do this IMO. It would have mitigated this Mongo bug.

  [-]
  • tombert 1 hour ago
    You know, I never even considered doing that but it makes sense; whatever overhead that's incurred by doing that static byte pattern is still almost certainly minuscule compared to the overhead of something like a garbage collector.
    [-]
    • ddtaylor 34 minutes ago
      IMO the tradeoff that is important here is a few microseconds of time sanitizing the memory saves the millions of dollars of headache when memory unsafe languages fail (which happens regularly)
  • dmitrygr 1 hour ago
    FYI, at least in C/C++, the compiler is free to throw away assignments to any memory pointed to by a pointer if said pointer is about to be passed to free(), so depending on how you did this, no perf impact could have been because your compiler removed the assignment. This will even affect a call to memset()

    see here: https://godbolt.org/z/rMa8MbYox

    [-]
    • shakna 1 hour ago
      However, if you recast to volatile, the compiler will keep it:

          #include <stdlib.h>
          #include <string.h>
      
          void free(void* ptr);
          void not_free(void* ptr);
      
      
          void test_with_free(char* ptr) {
              ptr[5] = 6;
              void *(* volatile memset_v)(void *s, int c, size_t n) = memset;
              memset_v(ptr + 2, 3, 4);
              free(ptr);
          }
      
          void test_with_other_func(char* ptr) {
              ptr[5] = 6;
              void *(* volatile memset_v)(void *s, int c, size_t n) = memset;
              memset_v(ptr + 2, 3, 4);
              not_free(ptr);
          }

      [-]
      • maxlybbert 13 minutes ago
        Newer versions of C++ (and C, apparently) have functions so that the cast isn't necessary ( https://en.cppreference.com/w/c/string/byte/memset.html ).
• computerfan494 2 hours ago
  The author of this post is incorrect about the timeline. Our Atlas clusters were upgraded days before the CVE was announced.
• maxrmk 3 hours ago
  How often are mongo instances exposed to the internet? I'm more of an SQL person and for those I know it's pretty uncommon, but does happen.
  [-]
  • petcat 3 hours ago
    From my experience, Mongo DB's entire raison d'etre is "laziness".

    * Don't worry about a schema.

    * Don't worry about persistence or durability.

    * Don't worry about reads or writes.

    * Don't worry about connectivity.

    This is basically the entire philosophy, so it's not surprising at all that users would also not worry about basic security.

    [-]
    • aragilar 2 hours ago
      Not only that, but authentication is much harder than it needs to be to set up (and is off by default).
    • winrid 2 hours ago
      Although interestingly, for all the mongo deployments I managed, the first time I saw a cluster publicly exposed without SSL was postgres :)
    • ddtaylor 32 minutes ago
      Ultimate webscale!
  • hahahacorn 3 hours ago
    A highly cited reason for using mongo is that people would rather not figure out a schema. (N=3/3 for “serious” orgs I know using mongo).

    That sort of inclination to push off doing the right thing now to save yourself a headache down the line probably overlaps with “let’s just make the db publicly exposed” instead of doing the work of setting up an internal network to save yourself a headache down the line.

    [-]
    • TZubiri 2 hours ago
      I would have hoped that there would be no important data in mongoDB.

      But now we can at least be rest assured that the important data in mongoDB is just very hard to read with the lack of schemas.

      Probably all of that nasty "schema" work and tech debt will finally be done by hackers trying to make use of that information.
  • ddtaylor 30 minutes ago
    It could be because when you leave an SQL server exposed it often turns into much worse things. For example, without additional configuration, PostgreSQL will default into a configuration that can own the entire host machine. There is probably some obscure feature that allows system process management, uploading a shell script or something else that isn't disabled by default.

    The end result is "everyone" kind of knows that if you put a PostgreSQL instance up publicly facing without a password or with a weak/default password, it will be popped in minutes and you'll find out about it because the attackers are lazy and just running crypto-mine malware, etc.
  • wood_spirit 3 hours ago
    The article links to a shodan scan reporting 213K exposed instances https://www.shodan.io/search?query=Product%3A%22MongoDB%22
  • ok123456 2 hours ago
    For a long time, the default install had it binding to all interfaces and with authentication disabled.
  • notepad0x90 1 hour ago
    often. lots of data leaks happened because of this. people spin it up in a cloud vm and forget it has a public ip all the time.
• whynotmaybe 2 hours ago
  I'm still thinking about the hypothetical optimism brought by OWASP top 10 hoping that major flaws will be solved and that buffer overflow has been there since the beginning... in 2003.
  [-]
  • thrwaway55 54 minutes ago
    I mean giving everyone footguns and you'll find that is unavoidable forever. Thoughts and prayers to the Mongo devs until we migrate to a language that prevents this error.