Bug 1551182 (CVE-2018-1000115) - CVE-2018-1000115 memcached: UDP server support allows spoofed traffic amplification DoS
Summary: CVE-2018-1000115 memcached: UDP server support allows spoofed traffic amplifi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1000115
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1553274 (view as bug list)
Depends On: 1551654 1551655 1551832 1551833 1551834 1551835 1551836 1551837 1551838 1551839 1552263 1552264
Blocks: 1549965
TreeView+ depends on / blocked
 
Reported: 2018-03-03 04:55 UTC by Kurt Seifried
Modified: 2021-09-09 13:19 UTC (History)
35 users (show)

Fixed In Version: memcached 1.5.6
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the memcached connections using UDP transport protocol can be abused for efficient traffic amplification distributed denial of service (DDoS) attacks. A remote attacker could send a malicious UDP request using a spoofed source IP address of a target system to memcached, causing it to send a significantly larger response to the target.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:42:16 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3369081 0 None None None 2018-05-17 13:49:37 UTC
Red Hat Product Errata RHSA-2018:1593 0 None None None 2018-05-17 15:40:45 UTC
Red Hat Product Errata RHSA-2018:1627 0 None None None 2018-05-18 17:03:10 UTC
Red Hat Product Errata RHSA-2018:2331 0 None None None 2018-08-20 12:56:41 UTC
Red Hat Product Errata RHSA-2018:2857 0 None None None 2018-10-02 18:47:02 UTC

Description Kurt Seifried 2018-03-03 04:55:19 UTC 
memcached supports TCP and UDP servers, when the UDP server is enabled, and the configuration does not specify localhost or 127.0.0.1, and the server does not firewall the memcached port (11211 by default) can be exploited for network traffic amplification attacks by spoofed UDP packets.

Please note that by default the firewall on Red Hat Enterprise Linux only allows port 22 (SSH) inbound, so systems with memcached enabled are only affected if a firewall rule is added that allows UDP traffic to connect to memcached (by default on port 11211).
Comment 2 Tomas Hoger 2018-03-03 13:58:20 UTC 
memcached upstream disabled UDP by default in version 1.5.6:

https://github.com/memcached/memcached/wiki/ReleaseNotes156

Relevant upstream commit:

https://github.com/memcached/memcached/commit/dbb7a8af90054bf4ef51f5814ef7ceb17d83d974
Comment 3 Tomas Hoger 2018-03-05 12:15:22 UTC 
Statement:

Red Hat is aware of traffic amplification distributed denial of service (DDoS) attacks that take advantage of the insecurely configured memcached servers reachable from the public Internet. The default configuration of memcached as shipped in Red Hat products makes it possible to abuse them for these DDoS attacks if memcached is exposed to connections from the public Internet. Refer to the Red Hat Knowledgebase article 3369081 for instructions on how to properly secure memcached installations to prevent them from being used in the attack.

https://access.redhat.com/solutions/3369081
Comment 4 Clifford Perry 2018-03-05 13:43:04 UTC 
Mitigation:

Please refer to the Red Hat Knowledgebase article 3369081 for instructions on how to properly secure memcached installations to prevent them from being used in an attack.

https://access.redhat.com/solutions/3369081
Comment 6 Tomas Hoger 2018-03-05 16:03:09 UTC 
Note that this issue is further mitigated by the default Fedora configuration, which makes memcached listen on loopback addresses only.  The change of this default was done in Fedora 25, see bug 1182542.

https://src.fedoraproject.org/rpms/memcached/c/3ee983ab6353cb0613d03913dcc8b7dd3c9637c5
Comment 7 Tomas Hoger 2018-03-05 16:04:25 UTC 
Created memcached tracking bugs for this issue:

Affects: fedora-all [bug 1551655]
Comment 10 Summer Long 2018-03-06 01:23:45 UTC 
Created memcached tracking bugs for this issue:

Affects: openstack-rdo [bug 1551839]
Comment 14 Alex Schultz 2018-03-19 20:15:55 UTC 
*** Bug 1553274 has been marked as a duplicate of this bug. ***
Comment 15 errata-xmlrpc 2018-05-17 15:40:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2018:1593 https://access.redhat.com/errata/RHSA-2018:1593
Comment 16 errata-xmlrpc 2018-05-18 17:02:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 11.0 (Ocata)

Via RHSA-2018:1627 https://access.redhat.com/errata/RHSA-2018:1627
Comment 17 errata-xmlrpc 2018-08-20 12:56:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 12.0 (Pike)

Via RHSA-2018:2331 https://access.redhat.com/errata/RHSA-2018:2331
Comment 18 errata-xmlrpc 2018-10-02 18:46:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty) director

Via RHSA-2018:2857 https://access.redhat.com/errata/RHSA-2018:2857
Note You need to log in before you can comment on or make changes to this bug.