Unprotected MongoDB Service: CVSS Score modification

IPv4v6 · March 22, 2019, 9:45pm

Dear OpenVAS developers, the gb_mongodb_no_auth.nasl contains the following rating:

script_tag(name:"cvss_base", value:"6.4");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:N");

That does not reflect the actual severity of the vulnerability.
When MongoDB authentication is disabled an attacker can dump, modify or delete all databases remotely.
Confidentiality and Integrity Impact should be changed to “Complete”.
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:C/I:C/A:N)

The CVSS 2 score would raise to 9.4.

Regards,
Stefan

cfi · March 26, 2019, 10:44am

While i think the severity of this VT should be raised using a Complete (C) for Confidentiality Impact (C) and Integrity Impact (I) doesn’t look correct to me:

As an attacker you don’t have full control (like when having “root” access to a system) but only access to the data the target system (in this case the MongoDB service) is providing to you.

Maybe the following rating similar to whats already used in Redis Server No Password (OID: 1.3.6.1.4.1.25623.1.0.105291):

  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");

In the case of the Availability (A) you’re able to control the availability of the service by e.g. dropping / deleting the data in the scope you have access.

IPv4v6 · April 1, 2019, 8:53pm

Of course you do not have full control to the underlying operating system, but you have complete database access, so I would recommend to rate this vulnerability higher.

Please compare the Nessus plugin (https://www.tenable.com/plugins/nessus/81777) where the CVSS 2 score significantly differs from the CVSS 3 score (C:H/I:H/A:H).

Is there a repository for the NVTs? How can I submit a patch or pull request?

cfi · April 3, 2019, 7:01am

The VT was already updated according to Unprotected MongoDB Service: CVSS Score modification - #2 by cfi - Vulnerability Tests - Greenbone Community Forum. If you want to see an even higher severity you can also define your own severity via an Override.

Unfortunately there is currently no public repository or process available to accept external submissions/updates for VTs.

IPv4v6 · April 3, 2019, 10:26pm

Thanks for adjusting the CVSS score.

Are there any plans to publish the VTs in a git repository in the near future?

cfi · April 4, 2019, 1:46pm

The access to the SCM for the VTs was restricted not that long ago as announced here and i’m not aware of any plans to change this again.