Securing your Memcached Server

Vulnerability description:

By default memcached  is available to the world on UDP and TCP port 11211.  Among other utilities it may be possible to use something as simple as telnet to connect to memcached and issue a 'stat' command to obtain information about the service itself or other commands to retrieve the data that is cached by the service.  Depending on the purpose this service has in your infrastructure, information management policies and programming standards within your organization this service could be cacheing very sensitive information.  A publicly available service could be providing sensitive information to third parties without your knowledge.

The UDP-based memcached service can be abused to amplify denial-of-service attack traffic. The attacker generates a large number of UDP packets to the memcached service with a spoofed source IP address to saturate a target with memcached replies.

Despite it's default configuration this service should never be available to the public and access should be restricted to only your infrastructure.

Affected versions:

All versions of memcached

How to verify if your server is vulnerable:

You can test your server's IP using the following commands (Replace <ipaddress> with your server's IP address) :

Test for UDP:

# echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u <ipaddress> 11211

Test for TCP:
# nmap -Pn -p 11211 <ipaddress> --script memcached-info

This is the output if it's open:

Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-01 10:09 EDT
Nmap scan report for xx.xx.xx.xx
Host is up (0.063s latency).
PORT      STATE SERVICE
11211/tcp open  unknown
| memcached-info:
|   Process ID           1726
|   Uptime               43215969 seconds
|   Server time          2015-04-01T14:09:03
|   Architecture         32 bit
|   Used CPU (user)      0.728889
|   Used CPU (system)    1.032842
|   Current connections  10
|   Total connections    1678
|   Maximum connections  1024
|   TCP Port             11211
|   UDP Port             11211
|_  Authentication       no
Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds

Resolution:

1) If your organization does not require memcached you should disable this service and ultimately uninstall it from the server.

2) If memcached is only needed by the server on which the service runs:

Edit the configuration file:  /etc/sysconfig/memcached
and change:

OPTIONS=""

To the following:

OPTIONS="-l 127.0.0.1"

and restart your memcached service using the command:

service memcached restart

Be sure to update the services which are using this memcached service to connect via the IP address "127.0.0.1" or "localhost" as the server's IP address or the service may stop being accessible.  

3) If memcached needs to be available to other servers within your organization:

The best option in this case is to block access to this service to the public and only allow access from certain IP addresses using a packet filtering (eg. iptables) or a hardware firewall if one is available.

Optionally: 

A more advanced configuration may be used to allow access to authorized hosts with SASL authentication:
http://www.shanison.com/2014/04/29/setup-memcached-with-sasl-authentication/

memcached with Zimbra: https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk