Posted: May 14th, 2017
Vulnerability description:
By default memcached is available to the world on UDP and TCP port 11211. Among other utilities it may be possible to use something as simple as telnet to connect to memcached and issue a 'stat' command to obtain information about the service itself or other commands to retrieve the data that is cached by the service. Depending on the purpose this service has in your infrastructure, information management policies and programming standards within your organization this service could be cacheing very sensitive information. A publicly available service could be providing sensitive information to third parties without your knowledge.
The UDP-based memcached service can be abused to amplify denial-of-service attack traffic. The attacker generates a large number of UDP packets to the memcached service with a spoofed source IP address to saturate a target with memcached replies.
Despite it's default configuration this service should never be available to the public and access should be restricted to only your infrastructure.
Affected versions:
All versions of memcached
How to verify if your server is vulnerable:
You can test your server's IP using the following commands (Replace <ipaddress> with your server's IP address) :
Test for UDP:
# echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -u <ipaddress> 11211
Output if exposed:
STAT pid 1111
STAT uptime 246345
STAT time 1526499414
STAT version 1.4.4
STAT pointer_size 64
[...]
Test for TCP:
# nmap -Pn -p 11211 <ipaddress> --script memcached-info
This is the output if it's open:
Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-01 10:09 EDT
Nmap scan report for xx.xx.xx.xx
Host is up (0.063s latency).
PORT STATE SERVICE
11211/tcp open unknown
| memcached-info:
| Process ID 1726
| Uptime 43215969 seconds
| Server time 2015-04-01T14:09:03
| Architecture 32 bit
| Used CPU (user) 0.728889
| Used CPU (system) 1.032842
| Current connections 10
| Total connections 1678
| Maximum connections 1024
| TCP Port 11211
| UDP Port 11211
|_ Authentication no
Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds
Resolution:
1) If your organization does not require memcached you should disable this service and ultimately uninstall it from the server.
2) If memcached is only needed by the server on which the service runs:
Edit the configuration file: /etc/sysconfig/memcached
and change:
OPTIONS=""
To the following:
OPTIONS="-l 127.0.0.1"
and restart your memcached service using the command:
service memcached restart
Be sure to update the services which are using this memcached service to connect via the IP address "127.0.0.1" or "localhost" as the server's IP address or the service may stop being accessible.
3) If memcached needs to be available to other servers within your organization:
The best option in this case is to block access to this service to the public and only allow access from certain IP addresses using a packet filtering (eg. iptables) or a hardware firewall if one is available.
Optionally:
A more advanced configuration may be used to allow access to authorized hosts with SASL authentication:
http://www.shanison.com/2014/04/29/setup-memcached-with-sasl-authentication/
memcached with Zimbra: https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack