edit-icon download-icon

[Vulnerability notice] Memcached UDP port reflection attack vulnerability

Last Updated: Apr 08, 2018

On March 6, 2018, Alibaba Cloud Security Center discovered that some hackers exploited a Memcached service vulnerability to initiate malicious attacks on the Internet. If customers enable UDP by default without configuring access control, this vulnerability may be exploited by hackers when the Memcached service is running, causing consumption of bandwidth or CPU resources in the outbound direction.

Alibaba Cloud ApsaraDB for Memcache does not use UDP, and therefore is not affected by the vulnerability by default. We recommend that you pay attention to your services and start emergency troubleshooting.

Affected scope

Memcached services that are created by users and that open the Memcached UDP Port 11211 to the Internet

Troubleshooting scheme

Follow these steps to perform troubleshooting:

  1. Test on the Internet whether Memcached UDP Port 11211 is opened to the Internet. You can use the nc tool to test the port and check whether the Memcached process is running on the server. The test method is as follows:

    • Run the following command to test the port: nc -vuz IP address 11211

    • Run the following command to test whether the Memcached service is opened to the Internet: telnet IP address 11211
      If Memcached UDP Port 11211 is opened to the Internet, the server may be vulnerable.

    • Run the following command to check the process status: ps -aux | grep memcached

  2. Run the echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -u IP address 11211 command and view the returned message. If the returned message is not empty, your server may be vulnerable.

Solution

  • If you are using the Memcached service and UDP Port 11211 is enabled for access from the Internet, we recommend that you disable UDP Port 11211 in the Internet inbound direction by setting a security group policy or other firewall policies on your ECS instance based on your service situations. Thus, the Memcached server and Internet cannot communicate over UDP.

  • We recommend that you add the -U 0 parameter and restart the Memcached service to completely disable UDP.

  • Memcached has released the latest version in which Memcached UDP Port 11211 is disabled by default. We recommend that you upgrade Memcached to the latest version 1.5.6. The sha value used for file integrity verification is ca35929e74b132c2495a6957cfdc80556337fb90.

  • We recommend that you perform security hardening on the running Memcached service.

    For example, enable binding the local listening IP addresses, disable access to the Internet, disable UDP, and enable security features such as logon authentication to improve Memcached security. For more information, see Memcached service security hardening.

Verification method

Follow these steps to verify the server repair measures:

  1. If you have disabled TCP Port 11211 from the Internet, run the telnet ip 11211 command on an office computer on the Internet. If a message indicating a connection failure is returned, TCP Port 11211 has been disabled successfully.

  2. If you have disabled Memcached UDP, run the following command to check whether Memcached UDP has been disabled successfully:

    echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -u IP address 11211

    If the returned message is empty, Memcached UDP has been disabled successfully on your server. You can also run the netstat -an | grep udp command to check whether Memcached UDP Port 11211 is in the listening state. If the port is not in the listening state, Memcached UDP has been disabled successfully.

Thank you! We've received your feedback.