Security Experts:

Researchers Find 1PB of Data Exposed by Misconfigured Databases

Researchers have once again demonstrated that when it comes to securing data, configuration issues can be just as dangerous as vulnerabilities.

Experts from Zürich, Switzerland-based security company BinaryEdge have analyzed the Internet exposure and the impact of default configurations in the case of four highly popular database management systems.

The first solution they analyzed was Redis (REmote DIctionary Server), an open source key-value cache and store. According to DB-Engines, Redis is the most popular key-value database software.

A global Internet scan performed by BinaryEdge revealed 35,330 Redis instances that didn't have any type of authentication. Experts determined that the current quantity of data available for access was more than 13 terabytes.

By default, Redis is designed to listen on all network interfaces and it doesn’t use any type of authentication. Despite the fact that the security page on the official Redis website advises users not to expose their instances on the Internet and provides instructions for enabling at least a basic authentication mechanism, many users still leave their installations exposed.

Furthermore, while Redis 3.0.3 is the latest stable release, this version was only found on a few hundred instances. Even more worrying is the fact that roughly 10,000 instances were running version 2.6 or prior. The developers of Redis say 2.6 is an old version that should not be used.

BinaryEdge also analyzed instances of MongoDB, the cross-platform document-oriented database that is said to be the most popular NoSQL database system. Experts identified more than 39,000 MongoDB server instances that didn’t have any type of authentication, and over 7,000 instances that did have some sort of authentication enabled. In the case of MongoDB, researchers uncovered roughly 620 terabytes of data.

Interestingly, MongoDB instances located at 374 different IP addresses contained databases named “DELETED_BECAUSE_YOU_DIDNT_PASSWORD_PROTECT_YOUR_MONGODB." Apparently, someone has been connecting to insecure MongoDB instances and creating databases with this name.

Most of the data identified by experts is leaked by MongoDB servers in the United States, followed at a distance by China and Russia.

These findings are in line with a report published in July by John Matherly, founder of the computer search engine Shodan. Matherly found nearly 30,000 MongoDB instances accessible over the Web without authorization due to default configurations.

“We encourage all users to follow the guidelines we prescribe for security. Security best practices are summarised here, or customers can contact MongoDB support. This is an important opportunity for everyone to ensure they are following security best practices,” Kelly Stirman, VP of Strategy at MongoDB, told SecurityWeek last month.

BinaryEdge also analyzed Memcached, a general-purpose distributed memory caching system that is reportedly the second most popular key-value database software.

Experts identified 118,574 instances of Memcached accessible via the Internet, exposing a total of 11 terabytes of data. In the case of Memcached, most of the instances were running more recent 1.4.x versions.

“While it's good to see that at least there are a lot of Memcached installations on 1.4.*, it's disappointing to see the amount exposed to the web and the amount of data leaking,” researchers noted.

Elasticsearch, the search server based on Apache Lucene, is the last database system analyzed by the Swiss security firm. Researchers found 8,990 Elasticsearch instances exposing over 531 terabytes of data.

After analyzing the Elasticsearch versions running on these servers, BinaryEdge determined that some of them still run versions prior to 1.4.3. Elasticsearch 1.4.3 patches a remote code execution vulnerability (CVE-2015-1427) that has been exploited in the wild to hack servers.

In total, experts found 1,175 terabytes (roughly 1.1 petabytes) of data exposed online due to misconfigured installations housed by various organizations, from small firms to Fortune 500 companies.

A couple of worrying aspects have been highlighted by experts. Since these vulnerable databases are running old versions, in some cases attackers might be able to compromise the entire server. Furthermore, since some of the analyzed instances are used as cache servers, the data is always changing and malicious actors could be able to gain access to sensitive customer or company information, such as authentication session data.

“No specific company data or confidential data was collected by our probes, only statistical information for each technology. No data from this dataset will be made public. We are in the process of setting up an automated system that will alert companies of open technologies in their networks,” BinaryEdge noted.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.