Memcached is a free and open high-performance distributed system, which was introduced for caching objects in memory.
This distributed system is the storage of “key-value” type located in the operating memory and designed for small “portions” of arbitrary data. These data include string values, numerical values, and many more.
Memcached is fully open-development and is assembled and operated under UNIX, Windows, OS X and distributed under an open license.
It is also a general-purpose memory caching system which is used to speed up dynamic-driven websites by caching data in RAM.
Successful exploitation will let the attacker execute arbitrary code on the affected system via readily available network utilities.
The common Memcached commands are:
Storage - set, add, replace
Read - get, gets
Delete - delete
Increment/Decrement - incr, decr
The below code is an example of this vulnerability:
$m = new Memcached();
$m->set("key1 0 0 1\r\n1\r\nset injected 0 3600 10\r\n1234567890\r\n","1234567890",30);
The above code can be exploited as below.
$m->set("prefix_" . $_GET['key'], "data");
The following is the data exchanged between the server and the client.
> set key 0 0 1
> set injected 0 3600 10
> 0 30 10
Memcached injection is a security vulnerability that can have various impacts on a web application or system if successfully exploited.
When an attacker injects malicious data or commands into a Memcached instance, the following impacts can occur:
Memcached injection can lead to a DoS condition where the Memcached server is overwhelmed with malicious requests.
This can result in a slowdown or unresponsiveness of the Memcached service, causing performance issues for the web application.
Attackers can inject malicious or bogus data into the Memcached cache.
Subsequent retrieval of this data by the web application can lead to incorrect or malicious responses, potentially compromising data integrity and user experience.
Memcached may store sensitive data such as session tokens, API keys, or database query results.
An attacker who successfully injects malicious data can potentially access or expose this sensitive information.
Malicious injection can lead to the corruption of cached data, affecting the reliability and integrity of data stored in Memcached.
In some cases, Memcached injection vulnerabilities can be used to execute arbitrary code on the server.
This can result in a full compromise of the web application and underlying infrastructure, leading to unauthorized access, data theft, or further attacks.
Attackers may use Memcached as an amplification vector in distributed denial of service (DDoS) attacks.
By injecting a small amount of data, they can cause the Memcached server to return a much larger response to a spoofed target, potentially overwhelming it.
If the Memcached server requires authentication but is misconfigured or insecurely set up, an attacker could potentially exploit an injection vulnerability to bypass authentication and gain unauthorized access.
Attackers may use Memcached injection to extract sensitive data from the cache, potentially leading to data breaches and the exposure of confidential information.
Preventing and mitigating Memcached injection vulnerabilities requires careful configuration, monitoring, and secure coding practices.
Here are the steps to help prevent and mitigate Memcached injection:
Always enable authentication for your Memcached servers. Set strong and unique passwords to protect your Memcached instance
from unauthorized access.
Limit access to Memcached servers by configuring firewall rules and access controls to allow connections only from trusted IP
addresses or networks.
Configure Memcached to bind only to local network interfaces when possible, preventing external access.
Regularly update your Memcached software to apply security patches and bug fixes. Vulnerabilities can be mitigated by keeping
your software up to date.
Implement access controls in your application to restrict data types stored in Memcached.
Avoid caching sensitive information like passwords, API keys, or personally identifiable information (PII).
Perform input validation and sanitization on user-generated data before storing or retrieving it from Memcached.
This helps prevent injection of malicious data.
Use whitelists to specify the types of data that can be stored in Memcached.
Only allow known, safe data to be cached.
Set up monitoring and logging to track Memcached activity.
Watch for unusual or malicious patterns, such as excessive requests or unauthorized access attempts.
Implement rate limiting and throttling mechanisms to prevent abuse or misuse of the Memcached service. Limit the number of
requests per second from a single source.
Isolate Memcached instances from other critical systems and sensitive data.
This can help contain potential breaches and limit the impact of an attack.
Regularly conduct security testing, including penetration testing and code reviews, to identify and remediate vulnerabilities
in your Memcached setup and application code.
Memcached uses both TCP and UDP for communication.
If UDP is not needed, consider disabling it. UDP-based amplification attacks can be mitigated by blocking UDP traffic.