Call Us at: 08035531075 / 07084662132

WS Templates & SiteBuilders

Where Websites Come To Life

Securing your Memcached Server

Posted: May 14th, 2017

Vulnerability description:

By default memcached is available to the world on UDP and TCP port 11211. Among other utilities it may be possible to use something as simple as telnet to connect to memcached and issue a 'stat' command to obtain information about the service itself or other commands to retrieve the data that is cached by the service. Depending on the purpose this service has in your infrastructure, information management policies and programming standards within your organization this service could be cacheing very sensitive information. A publicly available service could be providing sensitive information to third parties without your knowledge.

The UDP-based memcached service can be abused to amplify denial-of-service attack traffic. The attacker generates a large number of UDP packets to the memcached service with a spoofed source IP address to saturate a target with memcached replies.

Despite it's default configuration this service should never be available to the public and access should be restricted to only your infrastructure.

Affected versions:

All versions of memcached

How to verify if your server is vulnerable:

You can test your server's IP using the following commands (Replace <ipaddress> with your server's IP address) :

Test for UDP:

# echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -u <ipaddress> 11211

Output if exposed:

STAT pid 1111

STAT uptime 246345

STAT time 1526499414

STAT version 1.4.4

STAT pointer_size 64

[...]

Test for TCP:

# nmap -Pn -p 11211 <ipaddress> --script memcached-info

This is the output if it's open:

Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-01 10:09 EDT

Nmap scan report for xx.xx.xx.xx

Host is up (0.063s latency).

PORT STATE SERVICE

11211/tcp open unknown

| memcached-info:

| Process ID 1726

| Uptime 43215969 seconds

| Server time 2015-04-01T14:09:03

| Architecture 32 bit

| Used CPU (user) 0.728889

| Used CPU (system) 1.032842

| Current connections 10

| Total connections 1678

| Maximum connections 1024

| TCP Port 11211

| UDP Port 11211

|_ Authentication no

Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds

Resolution:

1) If your organization does not require memcached you should disable this service and ultimately uninstall it from the server.

2) If memcached is only needed by the server on which the service runs:

Edit the configuration file: /etc/sysconfig/memcached

and change:

OPTIONS=""

To the following:

OPTIONS="-l 127.0.0.1"

and restart your memcached service using the command:

service memcached restart

Be sure to update the services which are using this memcached service to connect via the IP address "127.0.0.1" or "localhost" as the server's IP address or the service may stop being accessible.

3) If memcached needs to be available to other servers within your organization:

The best option in this case is to block access to this service to the public and only allow access from certain IP addresses using a packet filtering (eg. iptables) or a hardware firewall if one is available.

Optionally:

A more advanced configuration may be used to allow access to authorized hosts with SASL authentication:

http://www.shanison.com/2014/04/29/setup-memcached-with-sasl-authentication/

memcached with Zimbra: https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack

Our Company

Domain Name Unit

Web Development Unit

Help Center

Network Infrastructure

Support Form

Promos & Specials

Tools & Social Networks

Live Chat

Facebook

Twitter

FAQs

Our Blog: The World of KEK