TCP Dangerous Database

Port 27017 (MongoDB)

Learn about port 27017 (MongoDB) - security risks, vulnerabilities, and common uses. Find devices with port 27017 open.

Quick Info

Port Number

27017

Protocol

TCP

Service

MongoDB

IANA Name

MongoDB

Service Description

Port 27017 is the default TCP port used by MongoDB, a NoSQL document database. It's the primary port for client applications to connect to a MongoDB server instance. The protocol used on this port is MongoDB's binary wire protocol, a custom protocol designed for efficient communication between clients and the database. This protocol handles authentication, querying, data manipulation, and control operations. The MongoDB server listens on this port for incoming connections, processes requests, and sends back responses adhering to the wire protocol. At a technical level, connections are established using TCP, and data is serialized and deserialized into BSON (Binary JSON) format for transmission. Operations are encoded as messages within the wire protocol, including CRUD operations (Create, Read, Update, Delete), authentication commands, and administrative functions like index management and replication control. The wire protocol ensures that data is transmitted reliably and efficiently between the client and the server.

## Firewall Recommendations

Blocking port 27017 from external access is crucial if the MongoDB server does not need to be accessed directly from the internet. Allow access only from trusted IP addresses or internal networks. Implement strong authentication and authorization mechanisms, such as role-based access control (RBAC), to restrict access to sensitive data. Regularly update MongoDB to the latest version to patch known vulnerabilities. Consider using a VPN or SSH tunnel for remote access. Monitor the port for suspicious activity and implement intrusion detection systems. Use network segmentation to isolate the MongoDB server from other parts of the network. Ensure that the MongoDB configuration file is properly secured and that default credentials are changed immediately.

Security Information

Exposing port 27017 directly to the internet without proper authentication and authorization poses significant security risks. Attackers can exploit this access to bypass authentication entirely (if misconfigured), gain unauthorized access to sensitive data, perform denial-of-service attacks, or even execute arbitrary code on the server. Common attack vectors include brute-force attacks against weak passwords, exploiting known vulnerabilities in older MongoDB versions, and leveraging misconfigurations like default credentials or open access. The port is a prime target because MongoDB databases often contain valuable and sensitive information, making it an attractive target for data breaches and ransomware attacks. Without proper security measures, an attacker can easily gain complete control of the database and potentially the entire server.

Known Vulnerabilities

CVE	Name	Severity	Description
CVE-2021-20208	MongoDB Injection Vulnerability	High	A MongoDB injection vulnerability exists in versions before 4.4.4 and 4.0.24 where the readPrefMode parameter can be manipulated to inject arbitrary code.
CVE-2019-10758	MongoDB Driver Injection	Medium	A potential injection vulnerability exists in the MongoDB Node.js driver where an attacker can inject arbitrary commands.
CVE-2015-2705	MongoDB Authentication Bypass	Critical	MongoDB versions before 2.6.4 and 2.4.12 allow authentication bypass by sending an empty username and password.
CVE-2020-7947	MongoDB Denial of Service	Medium	A denial of service vulnerability exists in MongoDB versions before 4.2.3 where an attacker can cause a crash by sending a crafted query.