Memcached vulnerability can be used to steal or modify data from the Memcached servers
According to itopstimes, Corero Internet Security disclosed that the Memcached vulnerability that caused GitHub DDoS attacks last week was worse than originally reported. It was discovered that the vulnerability could be used to steal or modify data in the Memcached server.
Memcached is an open source system that stores data in memory to speed up access. The current vulnerability is that the attacker sets the maximum value of Memcached, spoofs the UDP packet to initiate the request, and uses a large number of UDP response packets sent by Memcached to perform the attack.
According to Corero, any Memcached server that can be used for DDoS attacks can also be used to collect user data cached from a local network or host. The company stated that in addition to stealing user data, the attacker can modify the data and insert it back into the cache without the owner’s knowledge.
Ashley Stephenson, CEO of Corero, said “Memcached represents a new chapter in DDoS attack executions. Previously, the most recent record-breaking attacks were being orchestrated from relatively low bandwidth Internet of Things (IoT) devices. In contrast, these Memcached servers are typically connected to higher bandwidth networks and, as a result of high amplification factors, are delivering data avalanches to crippling effect. Unless operators of Memcached servers take action, these attacks will continue.”
Because the Memcached protocol is designed to be used without authentication, anything added to a vulnerable Memcached server by a user can be stolen by anyone on the Internet without leaving an audit trail.
Memcached has recently released the 1.5.6 version to disable the UDP protocol by default. Its developer community has also issued multiple warnings about security risks, but there are still a large number of users using previous versions, as well as default configurations for operating systems and cloud services. The company also announced a “kill switch” countermeasure against the attack by suppressing the DDoS attack by sending a command back to the attack server and invalidating the server’s cache. And said that the countermeasures have been tested and it seems to be 100% effective.
Source: itopstimes
