Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Organizations Slow to Patch Critical Memcached Flaws

Tens of Thousands of Internet-Exposed Memcached Servers Are Vulnerable to Attacks

Tens of thousands of servers running Memcached are exposed to the Internet and affected by several critical vulnerabilities disclosed last year by Cisco’s Talos intelligence and research group.

Tens of Thousands of Internet-Exposed Memcached Servers Are Vulnerable to Attacks

Tens of thousands of servers running Memcached are exposed to the Internet and affected by several critical vulnerabilities disclosed last year by Cisco’s Talos intelligence and research group.

In late October 2016, Talos published an advisory describing three serious flaws affecting Memcached, an open source, high performance distributed memory caching system used to speed up dynamic web apps by reducing the database load.

The vulnerabilities, tracked as CVE-2016-8704, CVE-2016-8705 and CVE-2016-8706, allow a remote attacker to execute arbitrary code on vulnerable systems by sending specially crafted Memcached commands. The flaws can also be leveraged to obtain sensitive data that could allow an attacker to bypass exploit mitigations.

The security holes were patched by Memcached developers before Talos disclosed its findings. A few months later, in late February and early March 2017, researchers conducted Internet scans to find out how many organizations had patched their installations.

The scans uncovered a total of more than 107,000 servers accessible over the Internet and nearly 80 percent of them, or roughly 85,000 servers, were still vulnerable. Furthermore, only approximately 22 percent of the servers, or roughly 24,000, required authentication.

Nearly 30,000 of the vulnerable servers were located in the United States, followed by China (17,000), the United Kingdom (4,700), France (3,200), Germany (3,000), Japan (3,000), the Netherlands (2,600), India (2,500) and Russia (2,300).

After completing the scans, Cisco obtained contact email addresses for all the IP addresses associated with the vulnerable servers and attempted to notify affected organizations.

Advertisement. Scroll to continue reading.

Six months later, researchers conducted another scan, but the situation improved only slightly, with roughly 10 percent of systems patched since the previous analysis. However, the number of servers requiring authentication dropped to 18,000, or 17 percent of the total.

Interestingly, researchers noticed that more than 28,000 of the previously discovered servers were no longer online. However, since the total number of Internet-facing installations remained the same, experts determined that some servers either changed their IPs or organizations had been deploying new systems with vulnerable versions of Memcached.

Talos warned that these vulnerable Memcached installations could be targeted in ransom attacks similar to the ones that hit MongoDB databases in early 2017. While Memcached is not a database, it can still contain sensitive information and disrupting it could have a negative impact on other dependent services.

“The severity of these types of vulnerabilities cannot be understated,” experts warned. “These vulnerabilities potentially affect a platform that is deployed across the internet by small and large enterprises alike. With the recent spate of worm attacks leveraging vulnerabilities this should be a red flag for administrators around the world. If left unaddressed the vulnerabilities could be leveraged to impact organizations globally and impact business severely.”

The number of Memcached instances accessible from the Internet has remained fairly constant over the past years. An analysis conducted in August 2015 uncovered 118,000 Memcached instances exposing 11 terabytes of data.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.