This week, the Alibaba Cloud Security Center detected malicious attacks on the Internet using vulnerabilities in the Memcached service. If the customer opens the UDP protocol by default and does not use access control, hackers may exploit the Memcached service when running it, resulting in outbound bandwidth consumption or CPU resource consumption.
Alibaba Cloud Cloud Cloud Database Memcache Edition does not use the UDP protocol and is not affected by this issue by default. At the same time, Alibaba Cloud reminds users to pay attention to their own business and start emergency investigations.
Affected Areas:
The user built the Memcached service on the Memcached 11211 UDP port.
Investigation plan:
1. To test whether the Memcached 11211 UDP port is open from the external Internet, you can use the nc tool to test the port and see if the Memcached process is running on the server.
Test port: nc -vuz IP address 11211
Test whether the memcached service is open to the public: telnet IP address 11211, if port 11211 is open, it may be affected
Check process status: ps -aux | grep memcached
2. Use "echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -u IP address 11211" command, if the return content is not empty, it indicates that your server may be affected.
Solution:
1. If you use the Memcached service and open the 11211 UDP port, it is recommended that you use ECS security group policy or other firewall policies to block the UDP 11211 port in the public network direction according to the business situation to ensure that the Memcached server and the Internet cannot be accessed through UDP.
2. It is recommended that you add the "-U 0" parameter to restart the memcached service and disable UDP completely.
3. Memcached has officially released a new version that disables the UDP 11211 port by default, it is recommended that you upgrade to the latest version 1.5.6.Download address: http://memcached-1-5-6-version.oss-cn-hangzhou.aliyuncs.com/memcached-1.5.6.tar.gz?spm=a2c4g.11174386.n2.4.z6Pbcq&file=memcached-1.5.6.tar.gz
(File integrity check SHA value: CA35929E74B132C2495A6957CFDC80556337FB90);
4. It is recommended that you strengthen the security of the running Memcached service, such as enabling the binding of local listening IP, prohibiting external access, disabling the UDP protocol, and enabling login authentication and other security functions to improve the security of Memcached.
Click to view the detailed Memcached Service Hardening Manual.
Verification method:
Once the fix is complete, you can use the following methods to test whether the server fix is effective:
1. If you have blocked the external TCP protocol 11211 port, you can use the command "telnet ip 11211" on the external network office computer, if the return connection fails, it means that the external TCP protocol 11211 port has been closed;
2. If you have disabled the UDP protocol for the Memcached service on your server, you can run the following "echo -en "\x00\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -u IP address 11211" to check whether the memcached service UDP protocol is turned off, check the returned content, if the returned content is empty, it means that your server has successfully fixed the vulnerability, you can also use "netstat -an |" grep udp" to see if port UDP 11211 is listening, if not, the memcached UDP protocol has been successfully shut down. |
Posted on 3/7/2018 4:43:08 PM
|
|
|
