[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On the other side: VM/VPS providers have a template based image that they
use for every type and subtype of operating system it's possible to
auto-provision. For example Ubuntu Server Xenial AMD64 or Debian Jessie or
Stretch AMD64.

It's important that VM/VPS providers don't push fresh images that have
anything vulnerable, abusable or exploitable enabled by default. Not all
VM/VPS providers do this. Standard sane configuration choices apply such as
bind9 not being a recursive resolver by default.

If individual Debian, CentOS, Ubuntu or whatever other distro packages for
memcached or any other daemon have "listen on all interfaces = yes" or
"listen on non-RFC1918 IP ranges = yes" turned on in their respective
configurations, that would be an issue to take up with the package
maintainers for the daemons.

On Wed, Feb 28, 2018 at 4:31 AM, Job Snijders <job at ntt.net> wrote:

> Dear all,
> Before the group takes on the pitchforks and torches and travels down to
> the hosting providers' headquarters - let's take a step back and look at
> the root of this issue: the memcached software has failed both the
> Internet community and its own memcached users.
> It is INSANE that memcached is/was[1] shipping with default settings
> that make the daemon listen and respond on UDP on INADDR_ANY. Did nobody
> take notes during the protocol wars where we were fodder for all the
> CHARGEN & NTP ordnance?
> The memcached software shipped with a crazy default that required no
> authentication - allowing everyone to interact with the daemon. This is
> an incredibly risky proposition for memcached users from a
> confidentiality perspective; and on top of that the amplification factor
> is up to 15,000x. WHAT?!
> And this isn't even new information, open key/value stores have been a
> security research topic for a number of years, these folks reported that
> in the 2015/2016 time frame they observed more than 100,000 open
> memcached instances: https://aperture-labs.org/pdf/safeconf16.pdf
> Vendors need to ensure that a default installation of their software
> does not pose an immediate liability to the user itself and those around
> them. No software is deployed in a vacuum.
> A great example of how to approach things is the behavior of the
> PowerDNS DNS recursor: this recursor - out of the box - binds to only
>, and blocks queries from RFC 1918 space. An operator has to
> consciously perform multiple steps to make it into the danger zone.
> This is how things should be.
> Kind regards,
> Job
> [1]: https://github.com/memcached/memcached/commit/
> dbb7a8af90054bf4ef51f5814ef7ceb17d83d974
> ps. promiscuous defaults are bad, mmkay?
> Ask your BGP vendor for RFC 8212 support today! :-)