Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 649278 (CVE-2018-1000115) - net-misc/memcached should not listen on UDP port by default
Summary: net-misc/memcached should not listen on UDP port by default
Status: CONFIRMED
Alias: CVE-2018-1000115
Product: Gentoo Security
Classification: Unclassified
Component: Default Configs (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/memcached/memcache...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-01 22:06 UTC by Hanno Böck
Modified: 2020-08-24 02:58 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2018-03-01 22:06:19 UTC
memcached is currently involved in some massive DDoS attacks, as its UDP protocol allows to be abused for amplification attacks. Background:
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

The default configuration in Gentoo enables the UDP port. Upstream's version 1.5.6 changes the default to disable UDP, however in Gentoo this does not happen, as the init script will actively enable UDP by passing -U in the default setting.

The init script should be changed in a way that UDP only gets enabled if a user actively wants it. (One may even argue that it's such a problematic protocol that it shouldn't be supported at all by the init script.)
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-03-02 03:49:15 UTC
(In reply to Hanno Boeck from comment #0)
> The default configuration in Gentoo enables the UDP port.
Only when no sockets are used. (https://gitweb.gentoo.org/repo/gentoo.git/tree/net-misc/memcached/files/memcached.init2#n55)

We also warn when listening on 0.0.0.0 (https://gitweb.gentoo.org/repo/gentoo.git/tree/net-misc/memcached/files/memcached.init2#n28).

I would suggest to set "LISTENON" to "127.0.0.1" per default and maybe uncomment "SOCKET" per default so that we ensure that no Gentoo system can be abused out of the box if the administrator forget to set up a firewall but no need to daemonize UDP usage in general.
Comment 2 Hanno Böck gentoo-dev 2018-03-02 11:29:09 UTC
Thomas, all your change proposals sound good, but I'd go one step further:
Even if a user changes to not using sockets disable UDP by default.

E.g. we could comment out UDPPORT by default in conf.d/memcached and only pass -U {UDPPORT} if it's set.

From the upstream announcement it sounds to me the UDP-based memcached is basically considered a deprecated protocol that has little use today.
Comment 3 Thomas Deutschmann gentoo-dev Security 2018-03-02 12:36:13 UTC
> E.g. we could comment out UDPPORT by default in conf.d/memcached and only
> pass -U {UDPPORT} if it's set.
ACK.
Comment 4 Dennis Lichtenthäler 2018-05-20 12:29:23 UTC
Please do this… I got bitten by it while switching a machine to systemd. LISTENON="127.0.0.1" was set in /etc/conf.d/memcached but most settings in that file are not honored by memcached's systemd unit.
Comment 5 John Helmert III (ajak) gentoo-dev Security 2020-06-18 02:24:32 UTC
Maintainer(s): Ping.
Comment 6 John Helmert III (ajak) gentoo-dev Security 2020-08-24 02:58:26 UTC
Ping