Potential Open edX installation security vulnerability

48 views
Skip to first unread message

George Song

unread,
Jan 6, 2017, 4:38:32 PM1/6/17
to edx-...@googlegroups.com

Hi everyone,

We recently discovered a security vulnerability using Open edX Full Stack or native installation methods. Please read the post in openedx-ops for a thorough explanation.

-- 
George

Ernesto Sanchez

unread,
Jan 6, 2017, 5:48:30 PM1/6/17
to General Open edX discussion
thank you very much
Rizky Ariestiyansyah
unread,
Jan 7, 2017, 4:26:07 AM1/7/17
to Open edX operations, edx-...@googlegroups.com, openedx-...@googlegroups.com
If use EC2 you can allow specific ports and ip address for incoming request by change inbound settings in your security group.


On Saturday, January 7, 2017 at 4:30:31 AM UTC+7, George Song wrote:
Hi everyone,
We recently discovered a security vulnerability using Open edX Full Stack or native installation methods. The vulnerability is due to the fact that MongoDB will accept connections from outside the server, with the default admin user and password.
Am I Vulnerable?
There are two things to check, both require you to login into the server where your MongoDB is installed.
  1. Is my port open to the world?
    $ netstat -plunt | grep 27017
tcp    0    0 0.0.0.0:27017    0.0.0.0:*    LISTEN
    If you see 0.0.0.0:27017, then your MongoDB is accepting connections from anyone who can reach this machine, unless you’ve activated a firewall on the machine or upstream in your network.
  2. Am I using the default admin account and password?
    $ mongo admin -u admin -p password --eval "db.getMongo().getDBNames()"
MongoDB shell version: 2.6.12
connecting to: admin
admin,edxapp,local,cs_comments_service_development
    If this command runs successfully, then you are using the default admin account and password.
If you’re able to complete both steps, then your MongoDB is vulnerable.
What Should I Do?
The quickest way to address this vulnerability is to configure your MongoDB to only accept requests from within the same server.
  1. Edit /etc/mongod.conf and add the following line to the end of the file:
    bind_ip = 127.0.0.1
  2. Restart the mongod service.
    • If you’re on Ubuntu 12.04:
      sudo service mongod restart
    • If you’re on Ubuntu 16.04:
      sudo systemctl restart mongod
  3. Verify that MongoDB is now only listening on 127.0.0.1:
    $ netstat -plunt | grep 27017
tcp    0    127.0.0.1:27017    0.0.0.0:*    LISTEN
Another additional step you can take is to install UFW and only allow specific ports for incoming requests (for example, http:80, https:443, ssh:22).
For future installations, please refer to https://openedx.atlassian.net/wiki/display/OpenOPS/How+to+Override+Default+Configuration+Passwords+and+Verify+Exposed+Services for more comprehensive security information.

-- 
George
Reply all
Reply to author
Forward
0 new messages