CVE-2018-1000115: memcached: UDP server support allows spoofed traffic amplification DoS.
This document (7022726) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12
SUSE Enterprise Storage 4
SUSE OpenStack Cloud 6
SUSE OpenStack Cloud 7
SUSE Enterprise Storage 4
SUSE OpenStack Cloud 6
SUSE OpenStack Cloud 7
Situation
Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the UDP support of the memcached server that can result in denial of service via network flood (traffic amplification of 1:50,000 has been reported by reliable sources).
This attack appears to be exploitable via network connectivity to port 11211 UDP.
This vulnerability is fixed in version 1.5.6 due to disabling of the UDP protocol by default.
This attack appears to be exploitable via network connectivity to port 11211 UDP.
This vulnerability is fixed in version 1.5.6 due to disabling of the UDP protocol by default.
Resolution
The default configuration in SUSE products is not affected, since /etc/sysconfig/memcached only listens on localhost by default:
MEMCACHED_PARAMS="-l 127.0.0.1"
Cause
Additional Information
Since /etc/sysconfig/memcached only listens on localhost by default, when the default configuration has been altered in the past, the system may become vulnerable. Currently the "-U 0" option is required, to disable UDP completely for memcached.
SUSE is planning to release an update to the memcached package that will slightly change this behavior in the future.
Going forward, UDP will then be disabled by default and it has to be actively enabled by specifiying the "-U" option with the port it should be listening on.
It is possibly to verify whether a system is vulnerable to this memcached vulnerability, by looking at the output of the netstat command and verify whether the memcached daemon is listening on localhost or not.
When the fourth column (127.0.0.1:11211) contains anything different than 127.0.0.1, the system is affected (unless there is a firewall in place, etc.) and then the configuration was indeed modified in the past.
Following the upcoming memcached update, the configuration may also need to be adjusted to explicitly tell
memcached to listen on a specific UDP address/port.
There is currently no ETA available for when this update will be released.
SUSE is planning to release an update to the memcached package that will slightly change this behavior in the future.
Going forward, UDP will then be disabled by default and it has to be actively enabled by specifiying the "-U" option with the port it should be listening on.
It is possibly to verify whether a system is vulnerable to this memcached vulnerability, by looking at the output of the netstat command and verify whether the memcached daemon is listening on localhost or not.
> aquarius:~ # netstat -ulpn | grep memcached
> udp 0 0 127.0.0.1:11211 0.0.0.0:* 30587/memcached
When the fourth column (127.0.0.1:11211) contains anything different than 127.0.0.1, the system is affected (unless there is a firewall in place, etc.) and then the configuration was indeed modified in the past.
Following the upcoming memcached update, the configuration may also need to be adjusted to explicitly tell
memcached to listen on a specific UDP address/port.
There is currently no ETA available for when this update will be released.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7022726
- Creation Date: 12-Mar-2018
- Modified Date:03-Mar-2020
-
- SUSE Enterprise Storage
- SUSE Linux Enterprise Server
- SUSE Open Stack Cloud
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
