[Important Security Warning] Memcached UDP Reflection Attacks Vulnerability Warning
Posted Date 3/3/2018
This week, Alibaba Cloud Security Center detected malicious exploits of the Memcached service on the Internet. If customers opened the UDP protocol by default and did not enable access control, it may be exploited by hackers when running the Memcached service, resulting in outbound bandwidth consumption or CPU resource consumption.
Alibaba Cloud ApsaraDB for Memcache does not use the UDP protocol, so it is not affected by default, and users can safely use it. At the same time, Alibaba Cloud want to remind the users to focus on their business and start emergency investigation.
Affected area:
Self-built Memcached services with Memcached 11211 UDP port open.
Investigation method:
1. To test whether the Memcached 11211 UDP port is open from the Internet. You can use the nc tool to test the port, and check whether the server is running the memcached process. The specific test method is:
Test the port: nc -vuz [IP address] 11211
Test whether the memcached service is open: telnet [IP address] 11211. If the 11211 port is open, it may be affected.
Check the process: ps-aux | grep memcached
2. You could simply test if your server is vulnerable by running command: “echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -u 127.0.0.1 11211”
If you see non-empty response, your server is vulnerable.
Solution:
1. If you are using the Memcached service and you opened the 11211 UDP port, we recommend that you use the ECS security group policy or other firewall policies to block the UDP port 11211 to ensure that the Memcached server cannot be accessed from the Internet through UDP;
2. It is recommended that you perform security hardening on the running Memcached service. For example, you can enable binding local listening IP, disable external access, disable UDP protocol, enable login authentication and other security features to improve Memcached security;
3. Memcached has released a new version officially in which the UDP port 11211 is disabled by default. It is recommended that you upgrade to the latest 1.5.6 version.
If you have any questions, feel free to contact us by submitting a ticket any time.
Alibaba Cloud
Alibaba Cloud ApsaraDB for Memcache does not use the UDP protocol, so it is not affected by default, and users can safely use it. At the same time, Alibaba Cloud want to remind the users to focus on their business and start emergency investigation.
Affected area:
Self-built Memcached services with Memcached 11211 UDP port open.
Investigation method:
1. To test whether the Memcached 11211 UDP port is open from the Internet. You can use the nc tool to test the port, and check whether the server is running the memcached process. The specific test method is:
Test the port: nc -vuz [IP address] 11211
Test whether the memcached service is open: telnet [IP address] 11211. If the 11211 port is open, it may be affected.
Check the process: ps-aux | grep memcached
2. You could simply test if your server is vulnerable by running command: “echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -u 127.0.0.1 11211”
If you see non-empty response, your server is vulnerable.
Solution:
1. If you are using the Memcached service and you opened the 11211 UDP port, we recommend that you use the ECS security group policy or other firewall policies to block the UDP port 11211 to ensure that the Memcached server cannot be accessed from the Internet through UDP;
2. It is recommended that you perform security hardening on the running Memcached service. For example, you can enable binding local listening IP, disable external access, disable UDP protocol, enable login authentication and other security features to improve Memcached security;
3. Memcached has released a new version officially in which the UDP port 11211 is disabled by default. It is recommended that you upgrade to the latest 1.5.6 version.
If you have any questions, feel free to contact us by submitting a ticket any time.
Alibaba Cloud