MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2018

 MA-696.032018: MyCERT Advisory – Security Guidance for Memcached

Date first published: 14/03/2018


1.0    Introduction

Red Hat has released security recommendations to address potential Distributed Denial of Service attacks using Memcached. This misconfiguration could allow an attacker to exploit Memcached services as a reflection and amplification vector, causing unexpected volumes of traffic to be sent to targeted systems and networks.

What is Memcached?

Memcached is an open source, high-performance, distributed memory object caching system. While it is generic in nature, it is intended for use in speeding up dynamic web applications by alleviating database load.

Memcached is an in-memory key-value store for small chunks of arbitrary data (strings, objects) from results of database calls, API calls, or page rendering.

Memcached allows applications to take memory from parts of system where it has more than it needs and make it accessible to areas where applications have less than they need.


2.0    Impact

An attacker could exploit memcached services to launch DDoS amplification attacks.


3.0 Affected Product

Memcached servers that have UDP/11211 or TCP/11211 open and are internet-accessible. Memcached servers that are 1.2.7 or later and using default configurations should be assessed immediately.

4.0 Recommendation    

MyCERT advise memcached users and system administrators to properly configured Memcached server and use industry best current practices that includes:

•    Using source-address validation to filter ingress traffic (BCP38/BCP84)
•    Using access control lists (ACL) to restrict source IP addresses/ports and limit traffic.
•    Upgrade memcached server to version 1.5.6, because it will disable the UDP protocol by default.
•    Need to evaluate if the Memcached server can be limited to binding to a local interface, and to block the UDP protocol at the firewall level.

Details about these mitigations can be found at:

•    https://access.redhat.com/solutions/1160613
•    https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
•    https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/

Generally, MyCERT advises the users of this product to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.


For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999@cybersecurity.my or mycert@mycert.org.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442
Handphone: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT
Web: http://www.mycert.org.my
Twitter: http://www.twitter.com/mycert
Facebook: http://www.facebook.com/mycert.org.my
Cyber999 Mobile Apps: IOS Users or Android Users
 

5.0 References

•    https://www.us-cert.gov/ncas/current-activity/2018/03/03/Red-Hat-Releases-Security-Guidance-Memcached
•    https://www.us-cert.gov/ncas/alerts/TA14-017A
•    https://memcached.org/
•    https://www.cert.govt.nz/it-specialists/advisories/advisory/memcache/
•    https://access.redhat.com/security/cve/cve-2018-1000115
•    https://access.redhat.com/solutions/3369081
•    https://access.redhat.com/solutions/1160613
•    https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
•    https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/