Memcached is a free and open high-performance distributed system, which was introduced for caching objects in memory.
This distributed system is the storage of “key-value” type located in the operating memory and designed for small “portions” of arbitrary data. These data include string values, numerical values, and many more.
Memcached is fully open-development and is assembled and operated under UNIX, Windows, OS X and distributed under an open license.
It is also a general-purpose memory caching system which is used to speed up dynamic-driven websites by caching data in RAM.
Successful exploitation will let the attacker execute arbitrary code on the affected system via readily available network utilities.
The common Memcached commands are:
Storage - set, add, replace
Read - get, gets
Delete - delete
Increment/Decrement - incr, decr
Example
The below code is an example of this vulnerability:
<?php
$m = new Memcached();
$m->addServer('example.beaglesecurity.com', 11211);
$m->set("key1 0 0 1\r\n1\r\nset injected 0 3600 10\r\n1234567890\r\n","1234567890",30);
?>
The above code can be exploited as below.
$m->set("prefix_" . $_GET['key'], "data");
The following is the data exchanged between the server and the client.
> set key 0 0 1
> 1
> STORED
> set injected 0 3600 10
> 1234567890
> STORED
> 0 30 10
> ERROR
> 1234567890
> ERROR
What are the impacts of Memcached injection?
Memcached injection is a security vulnerability that can have various impacts on a web application or system if successfully exploited.
When an attacker injects malicious data or commands into a Memcached instance, the following impacts can occur:
1. Denial of Service (DoS)
Memcached injection can lead to a DoS condition where the Memcached server is overwhelmed with malicious requests.
This can result in a slowdown or unresponsiveness of the Memcached service, causing performance issues for the web application.
2. Cache poisoning
Attackers can inject malicious or bogus data into the Memcached cache.
Subsequent retrieval of this data by the web application can lead to incorrect or malicious responses, potentially compromising data integrity and user experience.
3. Information leakage
Memcached may store sensitive data such as session tokens, API keys, or database query results.
An attacker who successfully injects malicious data can potentially access or expose this sensitive information.
4. Data corruption
Malicious injection can lead to the corruption of cached data, affecting the reliability and integrity of data stored in Memcached.
5. Remote Code Execution (RCE)
In some cases, Memcached injection vulnerabilities can be used to execute arbitrary code on the server.
This can result in a full compromise of the web application and underlying infrastructure, leading to unauthorized access, data theft, or further attacks.
6. Amplification attacks
Attackers may use Memcached as an amplification vector in distributed denial of service (DDoS) attacks.
By injecting a small amount of data, they can cause the Memcached server to return a much larger response to a spoofed target, potentially overwhelming it.
7. Authentication bypass
If the Memcached server requires authentication but is misconfigured or insecurely set up, an attacker could potentially exploit an injection vulnerability to bypass authentication and gain unauthorized access.
8. Data exfiltration
Attackers may use Memcached injection to extract sensitive data from the cache, potentially leading to data breaches and the exposure of confidential information.
How can you prevent Memcached injection?
Preventing and mitigating Memcached injection vulnerabilities requires careful configuration, monitoring, and secure coding practices.
Here are the steps to help prevent and mitigate Memcached injection:
1. Secure configuration
Always enable authentication for your Memcached servers. Set strong and unique passwords to protect your Memcached instance
from unauthorized access.
Limit access to Memcached servers by configuring firewall rules and access controls to allow connections only from trusted IP
addresses or networks.
Configure Memcached to bind only to local network interfaces when possible, preventing external access.
2. Patch and update
Regularly update your Memcached software to apply security patches and bug fixes. Vulnerabilities can be mitigated by keeping
your software up to date.
3. Access controls
Implement access controls in your application to restrict data types stored in Memcached.
Avoid caching sensitive information like passwords, API keys, or personally identifiable information (PII).
4. Input validation and sanitization
Perform input validation and sanitization on user-generated data before storing or retrieving it from Memcached.
This helps prevent injection of malicious data.
5. Whitelisting
Use whitelists to specify the types of data that can be stored in Memcached.
Only allow known, safe data to be cached.
6. Monitoring and logging
Set up monitoring and logging to track Memcached activity.
Watch for unusual or malicious patterns, such as excessive requests or unauthorized access attempts.
7. Rate limiting and throttling
Implement rate limiting and throttling mechanisms to prevent abuse or misuse of the Memcached service. Limit the number of
requests per second from a single source.
8. Segmentation
Isolate Memcached instances from other critical systems and sensitive data.
This can help contain potential breaches and limit the impact of an attack.
9. Testing
Regularly conduct security testing, including penetration testing and code reviews, to identify and remediate vulnerabilities
in your Memcached setup and application code.
10. Disable UDP
Memcached uses both TCP and UDP for communication.
If UDP is not needed, consider disabling it. UDP-based amplification attacks can be mitigated by blocking UDP traffic.
