question

cpollfh-7680 avatar image
0 Votes"
cpollfh-7680 asked ·

CosmoDB Mongo Firewall not blocking unauthenticated connections

I've set up Firewall CIDRs in my-mongodb -> Firewall and virtual networks, as per https://docs.microsoft.com/en-us/azure/cosmos-db/firewall-support

However, I'm seeing very strange behaviour:

If I try to connect from a whitelisted IP, the connection succeeds:
mongo REDACTED.mongo.cosmos.azure.com:10255 -u my_username -p my_password --ssl --sslAllowInvalidCertificates
This results in a mongo prompt globaldb:PRIMARY> and full access to the database and collections.

And if I try connecting from a non-whitelisted IP, the connection fails:
2020-06-18T16:43:12.206-0400 I NETWORK [js] DBClientConnection failed to receive message from REDACTED.mongo.cosmos.azure.com:10255 - SocketException: asio.ssl stream truncated
2020-06-18T16:43:12.207-0400 E QUERY [js] Error: network error while attempting to run command 'saslContinue' on host 'REDACTED.mongo.cosmos.azure.com:10255' :
connect@src/mongo/shell/mongo.js:341:17
@(connect):2:6
2020-06-18T16:43:12.209-0400 F - [main] exception: connect failed
2020-06-18T16:43:12.209-0400 E - [main] exiting with code 1

However, if I try connecting without specifying the username and password, I'm able to access the mongo database. I get the mongo shell prompt and can do any unauthenticated commands, letting me do basic reconnaissance, like what the URLs are for the primary and secondaries, the name of the database, etc.

Expected behaviour: The firewall should drop all traffic not coming from a valid IP address. According to https://docs.microsoft.com/en-us/azure/cosmos-db/firewall-support it should at least result in a 403.



azure-cosmos-db
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarkBrownMSFT avatar image
1 Vote"
MarkBrownMSFT answered ·

These are not security issues for Cosmos DB. These commands only reveal information about Cosmos DB service gateway, which is publicly accessible, and not specific to to any account.

As Mongo connections come in via TCP, the gateway must terminate the connection before knowing the identify of the account it will be routed to. The gateway must emulate pre-authentication Mongo commands so that the client is able to authenticate. Once the client is authenticated, the firewall will be encountered and will handle connections as configured.

Thanks.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That makes sense, thank you!

1 Vote 1 ·
MarkBrownMSFT avatar image
1 Vote"
MarkBrownMSFT answered ·

While you may be able to get a connection you should not have any access to any customer specific database or collections or their data. The only thing that may be visible would be the Cosmos account name itself but that is in public DNS anyway and mirrored back as part of the connection string passed in anyway.

Can you post some screen caps for what you are seeing?

Thanks.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cpollfh-7680 avatar image
0 Votes"
cpollfh-7680 answered ·

Is it possible to set it up so that the connection times out from non-whitelisted IPs?

Unauthenticated, I'm able to run commands such as db.isMaster(), db.getLastErrorObj(), and db.version(). These reveal significantly more than the Cosmos account name.

db.isMaster() and db.version() reveal non-public information such as Mongo version and some configuration such as maxWriteBatchSize. This information can be used to create more specific attacks against the application using the Mongo database. db.getLastErrorObj() can be used to probe whether the attack payload is effective.

What screen caps would you like me to post?

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.