MongoDB Authentication Scanning Modernization - Expanded Support for MongoDB 5.1+, SCRAM-SHA-256 authentication, and non-certificate authentications over SSL/TLS ports

Overview

Tenable is updating Nessus plugins libraries to allow customers to have improved scanning of MongoDB databases on their systems. For years, Tenable products have supported scanning of MongoDB databases, and we have been working on supporting newer and edge case authentication mechanisms. We have expanded our coverage for MongoDB versions 5.1 and higher with additional communications methods and query support, via OP_MSG which exists in all modern MongoDB servers. We have also added  support for SCRAM-SHA-256 authentication, and SSL/TLS communication to MongoDB that doesn't use MONGODB-X509 authentication. 

Impact

Customers currently executing MongoDB scans may now have increased ability to authenticate to MongoDB instances using newer authentication methods, with or without SSL/TLS on the MongoDB port.

Changes

Any customers wishing to use x509 authentication with a non-MONGODB-X509 authentication method involving passwords will need to edit their scan policies to include Credentials->Miscellaneous->X.509 in addition to their existing MongoDB password credentials.

Any customers running MongoDB 3.4 or older (end of life for 3 years) will need to upgrade to a more recent version, OP_QUERY/OP_REPLY functionality has been disabled.

Target Release Date

Immediate

Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.