memcached should disable UDP by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
memcached (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Steve Beattie | ||
Xenial |
Fix Released
|
Undecided
|
Steve Beattie | ||
Artful |
Fix Released
|
Undecided
|
Steve Beattie |
Bug Description
Memcached is currently involved in some massive ddos attacks, see e.g.:
https:/
The UDP protocol of memcached can be abused for very effective DDoS amplification attacks and should therefore be considered dangerous.
Upstream memcached has reacted to this by disabling UDP by default:
https:/
In Ubuntu memcached by default only listens to 127.0.0.1, but enables UDP. While the localhost-only protects default settings, it's still only a minor change away from creating an effective DDoS tool for a protocol that is hardly in use today. I recommend that Ubuntu backports the upstream change and disables UDP by default.
CVE References
Changed in memcached (Ubuntu Trusty): | |
status: | New → Triaged |
Changed in memcached (Ubuntu Xenial): | |
status: | New → Triaged |
Changed in memcached (Ubuntu Artful): | |
status: | New → Triaged |
Changed in memcached (Ubuntu Trusty): | |
assignee: | nobody → Steve Beattie (sbeattie) |
Changed in memcached (Ubuntu Xenial): | |
assignee: | nobody → Steve Beattie (sbeattie) |
Changed in memcached (Ubuntu Artful): | |
assignee: | nobody → Steve Beattie (sbeattie) |
This bug was fixed in the package memcached - 1.5.4-1ubuntu3
---------------
memcached (1.5.4-1ubuntu3) bionic; urgency=medium
* SECURITY UPDATE: disable listening on UDP port by default due to patches/ disable- udp-by- default. patch: disable UDP port by
use in DDoS amplification attacks
- debian/
default. (LP: #1752831)
- debian/NEWS: add explanation and document how to re-enable UDP if
necessary.
-- Steve Beattie <email address hidden> Fri, 02 Mar 2018 10:24:18 -0800