Bug 1551182 (CVE-2018-1000115)

Summary: CVE-2018-1000115 memcached: UDP server support allows spoofed traffic amplification DoS
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, apmukher, chrisw, cperry, cswanson, dffrench, drusso, fkrska, hguemar, janne.snabb, jjoyce, jmadigan, jorton, jschluet, jshepherd, kbasil, lgriffin, lhh, lindner, lpeer, markmc, matthew.taylor, matthias, mburns, mlichvar, ngough, pwright, rbryant, rrajasek, rschiron, sclewis, slinaber, slong, tdecacqu, trepel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: memcached 1.5.6 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the memcached connections using UDP transport protocol can be abused for efficient traffic amplification distributed denial of service (DDoS) attacks. A remote attacker could send a malicious UDP request using a spoofed source IP address of a target system to memcached, causing it to send a significantly larger response to the target.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:42:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1551654, 1551655, 1551832, 1551833, 1551834, 1551835, 1551836, 1551837, 1551838, 1551839, 1552263, 1552264    
Bug Blocks: 1549965    

Description Kurt Seifried 2018-03-03 04:55:19 UTC 
memcached supports TCP and UDP servers, when the UDP server is enabled, and the configuration does not specify localhost or 127.0.0.1, and the server does not firewall the memcached port (11211 by default) can be exploited for network traffic amplification attacks by spoofed UDP packets.

Please note that by default the firewall on Red Hat Enterprise Linux only allows port 22 (SSH) inbound, so systems with memcached enabled are only affected if a firewall rule is added that allows UDP traffic to connect to memcached (by default on port 11211).
Comment 2 Tomas Hoger 2018-03-03 13:58:20 UTC 
memcached upstream disabled UDP by default in version 1.5.6:

https://github.com/memcached/memcached/wiki/ReleaseNotes156

Relevant upstream commit:

https://github.com/memcached/memcached/commit/dbb7a8af90054bf4ef51f5814ef7ceb17d83d974
Comment 3 Tomas Hoger 2018-03-05 12:15:22 UTC 
Statement:

Red Hat is aware of traffic amplification distributed denial of service (DDoS) attacks that take advantage of the insecurely configured memcached servers reachable from the public Internet. The default configuration of memcached as shipped in Red Hat products makes it possible to abuse them for these DDoS attacks if memcached is exposed to connections from the public Internet. Refer to the Red Hat Knowledgebase article 3369081 for instructions on how to properly secure memcached installations to prevent them from being used in the attack.

https://access.redhat.com/solutions/3369081
Comment 4 Clifford Perry 2018-03-05 13:43:04 UTC 
Mitigation:

Please refer to the Red Hat Knowledgebase article 3369081 for instructions on how to properly secure memcached installations to prevent them from being used in an attack.

https://access.redhat.com/solutions/3369081
Comment 6 Tomas Hoger 2018-03-05 16:03:09 UTC 
Note that this issue is further mitigated by the default Fedora configuration, which makes memcached listen on loopback addresses only.  The change of this default was done in Fedora 25, see bug 1182542.

https://src.fedoraproject.org/rpms/memcached/c/3ee983ab6353cb0613d03913dcc8b7dd3c9637c5
Comment 7 Tomas Hoger 2018-03-05 16:04:25 UTC 
Created memcached tracking bugs for this issue:

Affects: fedora-all [bug 1551655]
Comment 10 Summer Long 2018-03-06 01:23:45 UTC 
Created memcached tracking bugs for this issue:

Affects: openstack-rdo [bug 1551839]
Comment 14 Alex Schultz 2018-03-19 20:15:55 UTC 
*** Bug 1553274 has been marked as a duplicate of this bug. ***
Comment 15 errata-xmlrpc 2018-05-17 15:40:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2018:1593 https://access.redhat.com/errata/RHSA-2018:1593
Comment 16 errata-xmlrpc 2018-05-18 17:02:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 11.0 (Ocata)

Via RHSA-2018:1627 https://access.redhat.com/errata/RHSA-2018:1627
Comment 17 errata-xmlrpc 2018-08-20 12:56:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 12.0 (Pike)

Via RHSA-2018:2331 https://access.redhat.com/errata/RHSA-2018:2331
Comment 18 errata-xmlrpc 2018-10-02 18:46:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty) director

Via RHSA-2018:2857 https://access.redhat.com/errata/RHSA-2018:2857