MongoBleed threatens databases, but detection tool is available

MongoBleed threatens databases, but detection tool is available

Briefly

"The critical vulnerability in MongoDB databases is being actively exploited and affects tens of thousands of servers worldwide. The vulnerability allows attackers to extract sensitive information from the server memory without requiring authentication. Credentials, session tokens, and personal data are particularly lucrative finds for cyber attackers. Various authorities and security company Wiz are warning of active exploits. The problem lies in MongoDB's zlib decompression mechanism and affects versions 4.4 through 8.2.2."

"The detection mechanism correlates three types of MongoDB log events: accepted connection (22943), client metadata (51800), and closed connection (22944). Legitimate MongoDB drivers always send metadata immediately after connecting. The MongoBleed exploit, on the other hand, connects, extracts memory, and disconnects without sending any metadata. The MongoBleed Detector is an offline command-line tool that analyzes MongoDB JSON logs. The tool does not require a network connection or additional agents, making it suitable for forensic investigation and incident response."

"The tool identifies suspicious patterns based on high connection volumes from a single IP address, the absence of client metadata, and short-lived burst behavior exceeding 100,000 connections per minute. The system supports compressed logs, works with both IPv4 and IPv6, and offers four levels of risk classification: HIGH, MEDIUM, LOW, and INFO. In addition, the tool includes a Python wrapper for remote execution via SSH. This allows security teams to scan multiple MongoDB instances simultaneously."