Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 649278 (CVE-2018-1000115)

Summary: net-misc/memcached should not listen on UDP port by default
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: Default ConfigsAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: ajak, hydrapolic, jdavid.ibp, prometheanfire, robbat2, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/memcached/memcached/wiki/ReleaseNotes156
Whiteboard:
Package list:
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2018-03-01 22:06:19 UTC 
memcached is currently involved in some massive DDoS attacks, as its UDP protocol allows to be abused for amplification attacks. Background:
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

The default configuration in Gentoo enables the UDP port. Upstream's version 1.5.6 changes the default to disable UDP, however in Gentoo this does not happen, as the init script will actively enable UDP by passing -U in the default setting.

The init script should be changed in a way that UDP only gets enabled if a user actively wants it. (One may even argue that it's such a problematic protocol that it shouldn't be supported at all by the init script.)
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-02 03:49:15 UTC 
(In reply to Hanno Boeck from comment #0)
> The default configuration in Gentoo enables the UDP port.
Only when no sockets are used. (https://gitweb.gentoo.org/repo/gentoo.git/tree/net-misc/memcached/files/memcached.init2#n55)

We also warn when listening on 0.0.0.0 (https://gitweb.gentoo.org/repo/gentoo.git/tree/net-misc/memcached/files/memcached.init2#n28).

I would suggest to set "LISTENON" to "127.0.0.1" per default and maybe uncomment "SOCKET" per default so that we ensure that no Gentoo system can be abused out of the box if the administrator forget to set up a firewall but no need to daemonize UDP usage in general.
Comment 2 Hanno Böck gentoo-dev 2018-03-02 11:29:09 UTC 
Thomas, all your change proposals sound good, but I'd go one step further:
Even if a user changes to not using sockets disable UDP by default.

E.g. we could comment out UDPPORT by default in conf.d/memcached and only pass -U {UDPPORT} if it's set.

From the upstream announcement it sounds to me the UDP-based memcached is basically considered a deprecated protocol that has little use today.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-02 12:36:13 UTC 
> E.g. we could comment out UDPPORT by default in conf.d/memcached and only
> pass -U {UDPPORT} if it's set.
ACK.
Comment 4 Dennis Lichtenthäler 2018-05-20 12:29:23 UTC 
Please do this… I got bitten by it while switching a machine to systemd. LISTENON="127.0.0.1" was set in /etc/conf.d/memcached but most settings in that file are not honored by memcached's systemd unit.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-18 02:24:32 UTC 
Maintainer(s): Ping.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-24 02:58:26 UTC 
Ping