Memcached server vulnerable to data exfiltration/modification and Denial-of-Service

Advisory: CERT.be Advisory #2018-006
Version: 1.0
Impacted software: Memcached servers
Type: Denial-of-Service (DoS), Data exfiltration

Sources

https://thehackernews.com/2018/03/prevent-memcached-ddos.html

Fixed version: Memcached 1.5.6

Risks

CERT.be recommends systems administrators to disable the UDP Protocol manually or to install the latest Memcached 1.5.6 version which disables UDP protocol by default to prevent amplification/reflection DDoS attacks. If possible, bind the service to a local interface.

The vulnerability, tracked as CVE-2018-1000115, has been categorized as a "Denial-of-Service”, and can be exploited beyond leveraging it for a DDoS attack. Researchers claim that the vulnerability can also be exploited by remote attackers to read or modify data without requiring any authentication by issuing a simple debug command. Attackers can also shut down the database, causing a Denial of Service of the application using it.

Summary

Memcached is a high-performance, distributed memory object caching system and widely used by dynamic database-driven websites to improve performance by caching data and objects in RAM.

Disabling UDP support can prevent Memcached servers from being abused as DoS reflectors, however it’s not a solution for the issue with the debug command. System administrators should remain vigilant and check if the debug issue is exploitable.

Remediation

To mitigate the attack and prevent Memcached servers from being abused as DoS reflectors, An upgrade to version 1.5.6 is recommended, because it will disable the UDP protocol by default.

CERT.be advises to evaluate if the Memcached server can be limited to binding to a local interface, and to block the UDP protocol at the firewall level. Furthermore Cert.be would advise system administrators to look out for debug commands in logs and other sources.