Securing your Memcached Server

Vulnerability description:

By default memcached  is available to the world on TCP port 11211.  Among other utilities it may be possible to use something as simple as telnet to connect to memcached and issue a 'stat' command to obtain information about the service itself or other commands to retrieve the data that is cached by the service.  Depending on the purpose this service has in your infrastructure, information management policies and programming standards within your organization this service could be cacheing very sensitive information.  A publicly available service could be providing sensitive information to third parties without your knowledge.  

Despite it's default configuration this service should never be available to the public and access should be restricted to only your infrastructure.

Affected versions:

All versions of memcached

How to verify if your server is vulnerable:

You can test your server's IP using the following commands (Replace <ipaddress> with your server's IP address) :

echo "stats items" | nc <ipaddress> 11211

OR:
$ nmap -p 11211 <ipaddress> --script memcached-info

This is the output if it's open:

Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-01 10:09 EDT
Nmap scan report for xx.xx.xx.xx
Host is up (0.063s latency).
PORT      STATE SERVICE
11211/tcp open  unknown
| memcached-info:
|   Process ID           1726
|   Uptime               43215969 seconds
|   Server time          2015-04-01T14:09:03
|   Architecture         32 bit
|   Used CPU (user)      0.728889
|   Used CPU (system)    1.032842
|   Current connections  10
|   Total connections    1678
|   Maximum connections  1024
|   TCP Port             11211
|   UDP Port             11211
|_  Authentication       no
Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds

Resolution:

1) If your organization does not require memcached you should disable this service and ultimately uninstall it from the server.

2) If memcached is only needed by the server on which the service runs:

Edit the configuration file:  /etc/sysconfig/memcached
and change:

OPTIONS=""

To the following:

OPTIONS="-l 127.0.0.1"

and restart your memcached service using the command:

service memcached restart

Be sure to update the services which are using this memcached service to connect via the IP address "127.0.0.1" or "localhost" as the server's IP address or the service may stop being accessible.  

3) If memcached needs to be available to other servers within your organization:

The best option in this case is to block access to this service to the public and only allow access from certain IP addresses using a packet filtering (eg. iptables) or a hardware firewall if one is available.

Optionally: 

A more advanced configuration may be used to allow access to authorized hosts with SASL authentication:

http://www.shanison.com/2014/04/29/setup-memcached-with-sasl-authentication/

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk