On October 31, 2016, Memcached released a security patch for fixing multiple remote code execution vulnerabilities. Hackers can exploit these vulnerabilities to steal service data in Memcached or cause the Memcached service to crash, resulting in DoS. We recommend that you upgrade Memcached to the official version 1.4.33 or later.
See the following for more information about the vulnerability.
CVE-2016-8704, CVE-2016-8705, CVE-2016-8706
- CVE-2016-8704: Memcached Append and Prepend remote code execution vulnerability
- CVE-2016-8705: Memcached Update remote code execution vulnerability
- CVE-2016-8706: Memcached SASL authentication remote code execution vulnerability
By sending a specially crafted Memcached command to the server, attackers can exploit the vulnerabilities to run code remotely, causing service crash or DoS and seriously affecting service running.
Condition and method of exploitation
Port 11211 of the Memcached service is enabled to the Internet.
Memcached < 1.4.33
How to fix or mitigate
Upgrade Memcached to the latest official version V1.4.33, which can be downloaded from the following address: http://www.memcached.org/files/memcached-1.4.33.tar.gz.
Use the ECS security group policy to restrict Internet IP addresses’ access to Port 11211 (public network inbound) of the Memcached service. For more information, see Security group configuration methods.