Memcached Injection

Memcached is a free and open high-performance distributed system, which was introduced for caching objects in memory.

This distributed system is the storage of “key-value” type located in the operating memory and designed for small “portions” of arbitrary data. These data include string values, numerical values, and many more.

Memcached is fully open-development and is assembled and operated under UNIX, Windows, OS X and distributed under an open license.

It is also a general-purpose memory caching system which is used to speed up dynamic-driven websites by caching data in RAM.

Successful exploitation will let the attacker execute arbitrary code on the affected system via readily available network utilities.

The common Memcached commands are:

• Storage - set, add, replace

• Read - get, gets

• Delete - delete

• Increment/Decrement - incr, decr

Example

The below code is an example of this vulnerability:

<?php

$m = new Memcached();
$m->addServer('example.beaglesecurity.com', 11211);
$m->set("key1 0 0 1\r\n1\r\nset injected 0 3600 10\r\n1234567890\r\n","1234567890",30);

?>

The above code can be exploited as below.

$m->set("prefix_" . $_GET['key'], "data");

The following is the data exchanged between the server and the client.

> set key 0 0 1
> 1
> STORED
> set injected 0 3600 10
> 1234567890
> STORED
> 0 30 10
> ERROR
> 1234567890
> ERROR

What are the impacts of Memcached injection?

Memcached injection is a security vulnerability that can have various impacts on a web application or system if successfully exploited.

When an attacker injects malicious data or commands into a Memcached instance, the following impacts can occur:

1. Denial of Service (DoS)

Memcached injection can lead to a DoS condition where the Memcached server is overwhelmed with malicious requests.

This can result in a slowdown or unresponsiveness of the Memcached service, causing performance issues for the web application.

2. Cache poisoning

Attackers can inject malicious or bogus data into the Memcached cache.

Subsequent retrieval of this data by the web application can lead to incorrect or malicious responses, potentially compromising data integrity and user experience.

3. Information leakage

Memcached may store sensitive data such as session tokens, API keys, or database query results.

An attacker who successfully injects malicious data can potentially access or expose this sensitive information.

4. Data corruption

Malicious injection can lead to the corruption of cached data, affecting the reliability and integrity of data stored in Memcached.

5. Remote Code Execution (RCE)

In some cases, Memcached injection vulnerabilities can be used to execute arbitrary code on the server.

This can result in a full compromise of the web application and underlying infrastructure, leading to unauthorized access, data theft, or further attacks.

6. Amplification attacks

Attackers may use Memcached as an amplification vector in distributed denial of service (DDoS) attacks.

By injecting a small amount of data, they can cause the Memcached server to return a much larger response to a spoofed target, potentially overwhelming it.

7. Authentication bypass

If the Memcached server requires authentication but is misconfigured or insecurely set up, an attacker could potentially exploit an injection vulnerability to bypass authentication and gain unauthorized access.

8. Data exfiltration

Attackers may use Memcached injection to extract sensitive data from the cache, potentially leading to data breaches and the exposure of confidential information.

How can you prevent Memcached injection?

Preventing and mitigating Memcached injection vulnerabilities requires careful configuration, monitoring, and secure coding practices.

Here are the steps to help prevent and mitigate Memcached injection:

1. Secure configuration

Always enable authentication for your Memcached servers. Set strong and unique passwords to protect your Memcached instance

from unauthorized access.

Limit access to Memcached servers by configuring firewall rules and access controls to allow connections only from trusted IP

addresses or networks.

Configure Memcached to bind only to local network interfaces when possible, preventing external access.

2. Patch and update

Regularly update your Memcached software to apply security patches and bug fixes. Vulnerabilities can be mitigated by keeping

your software up to date.

3. Access controls

Implement access controls in your application to restrict data types stored in Memcached.

Avoid caching sensitive information like passwords, API keys, or personally identifiable information (PII).

4. Input validation and sanitization

Perform input validation and sanitization on user-generated data before storing or retrieving it from Memcached.

This helps prevent injection of malicious data.

5. Whitelisting

Use whitelists to specify the types of data that can be stored in Memcached.

Only allow known, safe data to be cached.

6. Monitoring and logging

Set up monitoring and logging to track Memcached activity.

Watch for unusual or malicious patterns, such as excessive requests or unauthorized access attempts.

7. Rate limiting and throttling

Implement rate limiting and throttling mechanisms to prevent abuse or misuse of the Memcached service. Limit the number of

requests per second from a single source.

8. Segmentation

Isolate Memcached instances from other critical systems and sensitive data.

This can help contain potential breaches and limit the impact of an attack.

9. Testing

Regularly conduct security testing, including penetration testing and code reviews, to identify and remediate vulnerabilities

in your Memcached setup and application code.

10. Disable UDP

Memcached uses both TCP and UDP for communication.

If UDP is not needed, consider disabling it. UDP-based amplification attacks can be mitigated by blocking UDP traffic.

Written by

Febna V M

Cyber Security Engineer