MongoBleed Explained Simply

Posted by todsacerdoti 13 hours ago

MongoBleed Explained Simply(bigdata.2minutestreaming.com)

186 points | 71 comments

kentonv 10 hours ago|

A few years back I patched the memory allocator used by the Cloudflare Workers runtime to overwrite all memory with a static byte pattern on free, so that uninitialized allocations contain nothing interesting.

We expected this to hurt performance, but we were unable to measure any impact in practice.

Everyone still working in memory-unsafe languages should really just do this IMO. It would have mitigated this Mongo bug.

amomchilov 5 hours ago||

Recent macOS versions zero out memory on free, which improves the efficacy of memory compression. Apparently it’s a net performance gain in the average case

cperciva 7 hours ago|||

Note that many malloc implementations will do this for you given an appropriate environment, e.g. setting MALLOC_CONF to opt.junk=free will do this on FreeBSD.

MuffinFlavored 6 hours ago|||

> OpenBSD uses 0xdb to fill newly allocated memory and 0xdf to fill memory upon being freed. This helps developers catch "use-before-initialization" (seeing 0xdb) and "use-after-free" (seeing 0xdf) bugs quickly.

Looks like this is the default in OpenBSD.

tombert 10 hours ago|||

You know, I never even considered doing that but it makes sense; whatever overhead that's incurred by doing that static byte pattern is still almost certainly minuscule compared to the overhead of something like a garbage collector.

ddtaylor 9 hours ago||

IMO the tradeoff that is important here is a few microseconds of time sanitizing the memory saves the millions of dollars of headache when memory unsafe languages fail (which happens regularly)

tombert 7 hours ago||

I agree. I almost feel like this should be like a flag in `free`. Like if you pass in 1 or something as a second argument (or maybe a `free_safe` function or something), it will automatically `memset` whatever it's freeing with 0's, and then do the normal freeing.

yawaramin 5 hours ago||

https://news.ycombinator.com/item?id=46417221

dmitrygr 9 hours ago||

FYI, at least in C/C++, the compiler is free to throw away assignments to any memory pointed to by a pointer if said pointer is about to be passed to free(), so depending on how you did this, no perf impact could have been because your compiler removed the assignment. This will even affect a call to memset()

see here: https://godbolt.org/z/rMa8MbYox

kentonv 6 hours ago|||

I patched the free() implementation itself, not the code that calls free().

I did, of course, test it, and anyway we now run into the "freed memory" pattern regularly when debugging (yes including optimized builds), so it's definitely working.

shakna 9 hours ago|||

However, if you recast to volatile, the compiler will keep it:

    #include <stdlib.h>
    #include <string.h>

    void free(void* ptr);
    void not_free(void* ptr);


    void test_with_free(char* ptr) {
        ptr[5] = 6;
        void *(* volatile memset_v)(void *s, int c, size_t n) = memset;
        memset_v(ptr + 2, 3, 4);
        free(ptr);
    }

    void test_with_other_func(char* ptr) {
        ptr[5] = 6;
        void *(* volatile memset_v)(void *s, int c, size_t n) = memset;
        memset_v(ptr + 2, 3, 4);
        not_free(ptr);
    }

cperciva 7 hours ago|||

That code is not guaranteed to work. Declaring memset_v as volatile means that the variable has to be read, but does not imply that the function must be called; the compiler is free to compile the function call as "tmp = memset_v; if (tmp != memset) tmp(...)" relying on its knowledge that in the likely case of equality the call can be optimized away.

shakna 5 hours ago||

Whilst the C standard doesn't guarantee it, both LLVM and GCC _do_. They have implementation-defined that it will work, so are not free to optimise it away.

[0] https://llvm.org/docs/LangRef.html#llvm-memset-intrinsics

[1] https://gitweb.git.savannah.gnu.org/gitweb/?p=gnulib.git;a=b...

raverbashing 1 hour ago||

Yeah the C committee is wrong here

uecker 29 minutes ago||

I don't see why?

The C committee gave you memset_explicit. But note that there is still no guarantee that information can not leak. This is generally a very hard problem as information can leak in many different ways as it may have been copied by the compiler. Fully memory safe languages (so "Safe Rust" but not necessarily real-word Rust) would offer a bit more protection by default, but then there are still side-channel issues.

maxlybbert 8 hours ago|||

Newer versions of C++ (and C, apparently) have functions so that the cast isn't necessary ( https://en.cppreference.com/w/c/string/byte/memset.html ).

plorkyeran 10 hours ago||

The author seems to be unaware that Mongo internally develops in a private repo and commits are published later to the public one with https://github.com/google/copybara. All of the confusion around dates is due to this.

computerfan494 10 hours ago||

The author of this post is incorrect about the timeline. Our Atlas clusters were upgraded days before the CVE was announced.

maxrmk 12 hours ago||

How often are mongo instances exposed to the internet? I'm more of an SQL person and for those I know it's pretty uncommon, but does happen.

petcat 11 hours ago||

From my experience, Mongo DB's entire raison d'etre is "laziness".

* Don't worry about a schema.

* Don't worry about persistence or durability.

* Don't worry about reads or writes.

* Don't worry about connectivity.

This is basically the entire philosophy, so it's not surprising at all that users would also not worry about basic security.

senderista 5 hours ago|||

To the extent that any of this was ever true, it hasn’t been true for at least a decade. After the WiredTiger acquisition they really got their engineering shit together. You can argue it was several years too late but it did happen.

cyberpunk 2 hours ago||

I got heavily burned pre-wiredtiger and swore to never use it again. Started a new job which uses it and it’s been… Painless, stable and fast with excellent support and good libraries. They did turn it around for sure.

aragilar 10 hours ago||||

Not only that, but authentication is much harder than it needs to be to set up (and is off by default).

winrid 10 hours ago||||

Although interestingly, for all the mongo deployments I managed, the first time I saw a cluster publicly exposed without SSL was postgres :)

Thaxll 7 hours ago||||

Most of your points are wrong. Maybe only 1- is valid'ish.

ddtaylor 9 hours ago||||

Ultimate webscale!

morshu9001 5 hours ago|||

I'm sure there are publicly exposed MySQLs too

hahahacorn 12 hours ago|||

A highly cited reason for using mongo is that people would rather not figure out a schema. (N=3/3 for “serious” orgs I know using mongo).

That sort of inclination to push off doing the right thing now to save yourself a headache down the line probably overlaps with “let’s just make the db publicly exposed” instead of doing the work of setting up an internal network to save yourself a headache down the line.

matwood 54 minutes ago|||

> A highly cited reason for using mongo is that people would rather not figure out a schema.

Which is such a cop out, because there is always a schema. The only questions are whether it is designed, documented, and where it's implemented. Mongo requires some very explicit schema decisions, otherwise performance will quickly degrade.

TZubiri 11 hours ago|||

I would have hoped that there would be no important data in mongoDB.

But now we can at least be rest assured that the important data in mongoDB is just very hard to read with the lack of schemas.

Probably all of that nasty "schema" work and tech debt will finally be done by hackers trying to make use of that information.

saghm 5 hours ago||

I'd argue that there's a schema; it's just defined dynamically by the queries themselves. Given how much of the industry seems fine with dynamic typing in languages, it's always been weird to me how diehard people seem to be about this with databases. There have been plenty of legitimate reasons to be skeptical of mongodb over the years (especially in the early days), but this one really isn't any more of a big deal than using Python or JavaScript.

morshu9001 5 hours ago|||

Yes there's a schema, but it's hard to maintain. You end up with 200 separate code locations rechecking that the data is in the expected shape. I've had to fix too many such messes at work after a project grinded to a halt. Ironically some people will do schemaless but use a statically typed lang for regular backend code, which doesn't buy you much. I'd totally do dynamic there. But DB schema is so little effort for the strong foundation it sets for your code.

Sometimes it comes from a misconception that your schema should never have to change as features are added, and so you need to cover all cases with 1-2 omni tables. Often named "node" and "edge."

matwood 45 minutes ago|||

The adage I always tell people is that in any successful system, the data will far outlive the code. People throw away front ends and middle layers all the time. This becomes so much harder to do if the schema is defined across a sprawling middle layer like you describe.

cyberpunk 2 hours ago|||

We just sit a data persistence service infront of mongo and so we can enforce some controls for everything there if we need them, but quite often we don’t.

It’s probably better to check what you’re working on than blindly assuming this thing you’ve gotten from somewhere is the right shape anyway.

TZubiri 18 minutes ago|||

What's weird to me is when dynamic typers don't acknowledge the tradeoff of quality vs upfront work.

I never said mongodb was wrong in that post, I just said it accumulated tech debt.

Let's stop feeling attacked over the negatives of tradeoffs

bschmidt107979 7 hours ago|||

Are you guys serious with these takes?

You very often have both NoSQL and SQL at scale.

NoSQL is used for high availability of data at scale - iMessage famously uses it for message threads, EA famously uses it for gaming matchmaking.

What you do is have both SQL and NoSQL. The NoSQL is basically caches of resources for high availability. Imagine you are making a social media app... Yes of course you have a SQL database that stores all the data, but you maintain API caches of posts in NoSQL.

Why? This gets to some of your other black vs white insults: NoSQL is typically WAY FASTER than SQL. That's why you use it. It's way faster to read a JSON file from a hard drive than it is to query a SQL database, always has been. So why not use NoSQL for EVERYTHING? Well, because you have duplicated data everywhere since it's not relational, it's just giant caches essentially. You also will get slow queries when the documents get huge.

Anyway you need both. It's not an either/or thing. I cannot believe this many years later people do not know the purpose of SQL and NoSQL and do not understand that it is not a competition at all. You want both!

ch2026 4 hours ago|||

Because nobody uses mongo for the reasons you listed. They use redis, dynamo, scylla or any number of enriched KV stores.

Mongo has spent its entire existence pretending to be a SQL database by poorly reinventing everything you get for free in postgres or mysql or cockroach.

Capricorn2481 6 hours ago|||

What they wrote was pretty benign. They just asked how common it is for Mongo to be exposed. You seem to have taken that as a completely different statement

bschmidt107979 6 hours ago||

I mean they said it's rarely used when in fact it's widely used by some of the world's biggest companies at the highest scale the internet knows. The other guy had a harsher comment sure, maybe I should duplicate my reply to them, but who knows what kinds of rules that breaks on this site lmao Happy Christmas & New Year buddy!

wood_spirit 12 hours ago|||

The article links to a shodan scan reporting 213K exposed instances https://www.shodan.io/search?query=Product%3A%22MongoDB%22

acheong08 6 hours ago|||

My university has one exposed to the internet, and it's still not patched. Everyone is on holiday and I have no idea who to contact.

heavyset_go 4 hours ago|||

No one, if you aren't in the administration's good graces and something shitty happens unrelated to you, you've put a target on your back to be suspect #1.

bschmidt107979 5 hours ago|||

"Look at me. I'm the DBA now"

-JS devs after "Signing In With Facebook" to MongoDB Atlas

AKA me

Sorry guys, I broke it

ddtaylor 9 hours ago|||

It could be because when you leave an SQL server exposed it often turns into much worse things. For example, without additional configuration, PostgreSQL will default into a configuration that can own the entire host machine. There is probably some obscure feature that allows system process management, uploading a shell script or something else that isn't disabled by default.

The end result is "everyone" kind of knows that if you put a PostgreSQL instance up publicly facing without a password or with a weak/default password, it will be popped in minutes and you'll find out about it because the attackers are lazy and just running crypto-mine malware, etc.

ok123456 10 hours ago|||

For a long time, the default install had it binding to all interfaces and with authentication disabled.

notepad0x90 9 hours ago||

often. lots of data leaks happened because of this. people spin it up in a cloud vm and forget it has a public ip all the time.

netsharc 7 hours ago||

> On Dec 24th, MongoDB reported they have no evidence of anybody exploiting the CVE

Absence of evidence is not evidence of absence...

forrestthewoods 7 hours ago|

What would you prefer them to say?

perching_aix 6 hours ago||

Evidence of no exploitations? It's usually hard to prove a negative, except when you have all the logs at your fingertips you can sift through. Unless they don't, of course. In which case the point stands: they don't actually know at this point in time, if they can even know about it at all.

Specifically, it looks like the exflitration primitive relies on errors being emitted, and those errors are what leak the data. They're also rather characteristic. One wouldn't reasonably expect MongoDB to hold onto all raw traffic data flowing in and out, but would absolutely expect them to have the error logs, at least for some time back.

saghm 5 hours ago|||

I feel like that's an issue not with what they said, but what they did. It would be better for them to have checked this quickly, but it would have been worse for them to have they did when they hadn't. What you're saying isn't wrong, but it's not really an answer to the question you're replying to.

forrestthewoods 5 hours ago|||

“No evidence of exploitation” is a pretty bog standard report I think? Made on Christmas Eve no less.

Do other CVE reports come with more strong statements? I’m not sure they do. But maybe you can provide some counter examples that meet your bar.

perching_aix 5 hours ago||

It's not really my bar, I just explored this on behalf of the person you were replying to because I found it mildly interesting.

It is also a pretty standard response indeed. But now that it was highlighted, maybe it does deserve some scrutiny? Or is saying silly, possibly misleading things okay if that's what everyone has always been doing?

whynotmaybe 11 hours ago||

I'm still thinking about the hypothetical optimism brought by OWASP top 10 hoping that major flaws will be solved and that buffer overflow has been there since the beginning... in 2003.

thrwaway55 9 hours ago|

I mean giving everyone footguns and you'll find that is unavoidable forever. Thoughts and prayers to the Mongo devs until we migrate to a language that prevents this error.

exabrial 8 hours ago||

Why is anyone using mongo for literally anything

gethly 1 hour ago||

Right? When they came out, it was all about NoSQL, which then turned out only mean key-value database, whom are plentiful.

nine_k 7 hours ago|||

Easy replication. I suppose it's faster than Postgres's JSONB, too.

I would rather not use it, but I see that there are legitimate cases where MongoDB or DynamoDB is a technically appropriate choice.

mickael-kerjean 7 hours ago|||

because it is "web scale"

ref: https://www.youtube.com/watch?v=b2F-DItXtZs

DonHopkins 3 hours ago||

Whenever anyone writes about mongodb or redis I hear it in that voice.

Aldipower 7 hours ago||

This is a nasty ad repositorium datorum argumentation which I cannot tolerate.

bschmidt107979 6 hours ago||

Every time someone posts about NoSQL a thousand "programmers" reveal they have never had to support a lot of traffic lol

vivzkestrel 6 hours ago||

is it true that ubisoft got hacked and 900GB of data from their database was leaked due to mongobleed, i am seeing a lot of posts on social media under the #ubisoft tags today. can someone on HN confirm?

bschmidt107979 6 hours ago||

TLDR: Blame logs not NoSQL.

Almost always when you hear about emails or payment info leaking (or when Twitter stored passwords in plaintext lol) it's from logs. And a lot of times logs are in NoSQL because it is only ever needed in that same JSON format and in a very highly available way (all you Heroku users tailing logs all day, yw) and then almost nobody encrypts phone numbers and emails etc. whenever those end up in logs.

There's basically no security around logs actually. They're just like snapshots of the backend data being sent around and nobody ever cares about it.

Anyway it has nothing to do with the choice to use NoSQL, it has more to do with how neglected security is around it.

Btw in case you are wondering in both the Twitter plaintext password case and in the Rainbow Six Siege data leak you mention were both logs that leaked. NoSQL backed logs sure, but it's more about the data security around logging IMO.

christophilus 6 hours ago||

I read that hack was made possible by Ubisoft’s support staff taking bribes.

Maxious 5 hours ago||

Details are still emerging, update in the last hour was that at least 5 different hacking groups were in ubisoft's systems and yeah some might have got their via bribes rather than mongodb https://x.com/vxunderground/status/2005483271065387461

More comments...