MongoDB Service Without Authentication Detection when running Nessus Vulnerability Scanner on VideoXpert.

Issue

False positive report when running Nessus Vulnerability Scanner on VideoXpert

Product Line

Pelco Video Management

Environment

  • VideoXpert
  • Nessus Vulnerability Scanner

Cause

Nessus checks the Mongo database by sending a probe command that only runs on mongoD. However, Nessus is connecting to mongoS instead. MongoS cannot process the command so it fails in a different way than Nessus expects, and Nessus assumes that there is an authenication problem when there is not.

Resolution

VideoXpert has had Mongo authentication turned on since version 1.5. Please ensure that your system is running version 1.5 or greater.