Securing your Memcached Server

Posted:  May 14th, 2017

 

Vulnerability description:

 

By default memcached  is available to the world on UDP and TCP port 11211.  Among other utilities it may be possible to use something as simple as telnet to connect to memcached and issue a 'stat' command to obtain information about the service itself or other commands to retrieve the data that is cached by the service.  Depending on the purpose this service has in your infrastructure, information management policies and programming standards within your organization this service could be cacheing very sensitive information.  A publicly available service could be providing sensitive information to third parties without your knowledge.

 

The UDP-based memcached service can be abused to amplify denial-of-service attack traffic. The attacker generates a large number of UDP packets to the memcached service with a spoofed source IP address to saturate a target with memcached replies.

 

Despite it's default configuration this service should never be available to the public and access should be restricted to only your infrastructure.

 

Affected versions:

 

All versions of memcached

 

How to verify if your server is vulnerable:

 

You can test your server's IP using the following commands (Replace <ipaddress> with your server's IP address) :

 

Test for UDP:

 

# echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -u <ipaddress> 11211

Output if exposed:

STAT pid 1111

STAT uptime 246345

STAT time 1526499414

STAT version 1.4.4

STAT pointer_size 64

[...]

 

Test for TCP:

 

# nmap -Pn -p 11211 <ipaddress> --script memcached-info

 

This is the output if it's open:

 

Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-01 10:09 EDT

Nmap scan report for xx.xx.xx.xx

Host is up (0.063s latency).

PORT      STATE SERVICE

11211/tcp open  unknown

| memcached-info:

|   Process ID           1726

|   Uptime               43215969 seconds

|   Server time          2015-04-01T14:09:03

|   Architecture         32 bit

|   Used CPU (user)      0.728889

|   Used CPU (system)    1.032842

|   Current connections  10

|   Total connections    1678

|   Maximum connections  1024

|   TCP Port             11211

|   UDP Port             11211

|_  Authentication       no

Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds

 

Resolution:

 

1) If your organization does not require memcached you should disable this service and ultimately uninstall it from the server.

 

2) If memcached is only needed by the server on which the service runs:

 

Edit the configuration file:  /etc/sysconfig/memcached

and change:

 

OPTIONS=""

To the following:

 

OPTIONS="-l 127.0.0.1"

 

and restart your memcached service using the command:

 

service memcached restart

 

Be sure to update the services which are using this memcached service to connect via the IP address "127.0.0.1" or "localhost" as the server's IP address or the service may stop being accessible.

 

3) If memcached needs to be available to other servers within your organization:

 

The best option in this case is to block access to this service to the public and only allow access from certain IP addresses using a packet filtering (eg. iptables) or a hardware firewall if one is available.

 

Optionally:

 

A more advanced configuration may be used to allow access to authorized hosts with SASL authentication:

 

http://www.shanison.com/2014/04/29/setup-memcached-with-sasl-authentication/

 

memcached with Zimbra: https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack