My Favorites

Close

Please to see your favorites.

  • Bookmark
  • Email Document
  • Printer Friendly
  • Favorite
  • Rating:

CVE-2018-1000115: memcached: UDP server support allows spoofed traffic amplification DoS.

This document (7022726) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12
SUSE Enterprise Storage 4
SUSE OpenStack Cloud 6
SUSE OpenStack Cloud 7

Situation

Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the UDP support of the memcached server that can result in denial of service via network flood (traffic amplification of 1:50,000 has been reported by reliable sources).

This attack appears to be exploitable via network connectivity to port 11211 UDP.
This vulnerability is fixed in version 1.5.6 due to disabling of the UDP protocol by default.

Resolution

The default configuration in SUSE products is not affected, since /etc/sysconfig/memcached only listens on localhost by default:
MEMCACHED_PARAMS="-l 127.0.0.1"

Cause

Additional Information

Since /etc/sysconfig/memcached only listens on localhost by default, when the default configuration has been altered in the past, the system may become vulnerable. Currently the "-U 0" option is required, to disable UDP completely for memcached.

SUSE is planning to release an update to the memcached package that will slightly change this behavior in the future.
Going forward, UDP will then be disabled by default and it has to be actively enabled by specifiying the "-U" option with the port it should be listening on.

It is possibly to verify whether a system is vulnerable to this memcached vulnerability, by looking at the output of the netstat command and verify  whether the memcached daemon is listening on localhost or not.
> aquarius:~ # netstat -ulpn | grep memcached
> udp    0
    0    127.0.0.1:11211    0.0.0.0:*    30587/memcached    

When the fourth column (127.0.0.1:11211) contains anything different than 127.0.0.1, the system is affected (unless there is a firewall in place, etc.) and then the configuration was indeed modified in the past.

Following the upcoming memcached update, the configuration may also need to be adjusted to explicitly tell
memcached to listen on a specific UDP address/port.

There is currently no ETA available for when this update will be released.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7022726
  • Creation Date:12-MAR-18
  • Modified Date:16-MAR-18
    • NovellSUSE Enterprise Storage
      SUSE OpenStack Cloud
    • SUSESUSE Linux Enterprise Server
< Back to Support Search

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center