Sensitive Data exposure and DDoS attack vulnerability in misconfigured Memcached

Software Affected:

• Memcached service prior to version 1.5.6

Abstract:

Memcached is a distributed memory caching system designed for speeding up websites and applications content load faster by temporarily storing its contents. This cached content will be delivered from Memcache in case of repetitive user visits to the websites or applications. As open-source software, Memcached could be vulnerable to attacks, which could allow attackers to cause DDoS amplification attacks on targeted website or applications servers.

Technical Description:

A vulnerability has been reported in unsecured Memcached servers exposed to internet wherein an unauthenticated attacker could access the Memcached and take complete control over the key-value store. Memcached servers have the UDP port 11211 open by default which is an exponential vector to the Vulnerability. UDP (User Datagram Protocol) is particularly vulnerable as it allows data to be transferred before the end receiving party agrees to the communication. An unauthenticated attacker could send a maliciously crafted spoofed requests of few bytes to a vulnerable UDP Memcached server, which could start sending contents of Memcache in response. This may trigger a thousand times bigger legitimate response from vulnerable Memcached server against the targeted (spoofed) IP address, resulting in a DDoS amplification attack against the recipient of the reflected traffic.

Vulnerability Assessment:

Execute the below command from external network to check if a Memcached server is accessible from the Internet via TCP:

• echo "stats" | netcat [server_ip] 11211

Execute the below command from external network to check if a Memcached server is openly accessible from the Internet via UDP:

• echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | netcat -u [server_ip] 11211

If Memcached is running, it is expected that information about the Memcached server would appear on the screen.

Countermeasures and Best practices for prevention:

• Disable UDP support if not in use.
• Memcached Server may be protected by employing specific Firewall rules, if there is a need to expose server over internet.
• Deploy Firewalls to track or block UDP/TCP port 11211 for all ingress and egress traffic.
• Deploying an explicit IPv4 block on UDP 11211 with a length of 1428 will stop the reflection attack.
• Consider Rate Limiting UDP port 11211 to minimize risk.

Solution:

Upgrade to the latest version of Memcached service from the website:

• https://memcached.org/downloads

References:

• https://www.cloudflare.com/learning/ddos/memcached-ddos-attack/
• https://www.akamai.com/us/en/resources/our-thinking/threat-advisories/ddos-reflection-attack-memcached-udp.jsp
• https://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/
• https://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-and-minimizing-risk-to-and-from-your-customers/
• https://www.bleepingcomputer.com/news/security/memfixed-tool-helps-mitigate-memcached-based-ddos-attacks/
• https://access.redhat.com/solutions/3369081
• https://www.jpcert.or.jp/at/2018/at180009.html
• https://us-cert.cisa.gov/ncas/alerts/TA14-017A
• https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
• https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/memcached-under-attack/