Cache On Delivery — Memcached Opens an Accidental Security Hole

← Back to Stories (view on slashdot.org)

Cache On Delivery — Memcached Opens an Accidental Security Hole

Posted by timothy on Friday August 6, 2010 @06:00PM from the everything-has-a-downside dept.

jamie spotted this eye-opening presentation (here's a longer explanation) about how easy it is to access sensitive data on many sites using memcached, writing "If you already know what memcached is, skim to slide #17. The jaw-drop will happen around slide #33. Turns out many websites expose their totally-non-protected memcached interface to the Internet, including gowalla, bit.ly, and PBS."

10 of 149 comments (clear)

Min score:

Reason:

Sort:

Firewall? by chx1975 · 2010-08-06 18:08 · Score: 4, Insightful

I run my memcacheds behind firewall. I thought that the basic server security rule was that you firewall everything opening ports very cautiously as necessary.
1. Re:Firewall? by MikeFM · 2010-08-06 18:13 · Score: 4, Insightful
  
  My memcached server is on the private network only accessible to other servers and is firewalled to everything but the servers that need access. Not exactly rocket science.
  
  --
  At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
2. Re:Firewall? by PIBM · 2010-08-06 23:10 · Score: 4, Insightful
  
  Ive been running memcached since it's out, even sent some patches in.
  The thing is, why aren't they running this on a private network ?? Memcached is designed to be fast AND non-secure, to be run on your local network. Running it on a server farm with thousands of people having access to your computers and ips is not a private network.
  I had heard about people running it on the local interface and still getting problems before (somebody else with the same computer ran it too and forgot to pick the good port and finally used the same key ...) but that's because IT'S NOT BUILT TO BE USED ON AN UNSECURED NETWORK.
  Nothing new, bad admins get bad things done to them, move along.
I fail to see why this is news by OverlordQ · 2010-08-06 18:09 · Score: 5, Insightful

Much less 'memcached' being at fault. They say it themselves:

Memcached does not spend much, if any, effort in ensuring its defensibility from random internet connections. So you must not expose memcached directly to the internet, or otherwise any untrusted users.
All this is is stupid admins doing stupid things story and those are dime a dozen.

--
Your hair look like poop, Bob! - Wanker.
1. Re:I fail to see why this is news by MikeFM · 2010-08-06 23:33 · Score: 4, Insightful
  
  The difference is that in this case a non-retarded admin can secure things. With Microsoft products it often takes an act of God to secure them (the best security feature of a Windows system is a blue screen of death). And memcached isn't meant to be a public service. It's very plainly described as not being secure. Completely different than a service that is meant to be public such as web or email not being secure.
  
  --
  At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
2. Re:I fail to see why this is news by MikeFM · 2010-08-06 23:35 · Score: 4, Insightful
  
  It defaults to not being installed and running. Memcached is meant to be ran from one or more caching servers (not really on the web server itself). It isn't really meant to be ran on localhost under ideal usage.
  
  --
  At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
3. Re:I fail to see why this is news by TheRaven64 · 2010-08-07 00:32 · Score: 5, Insightful
  
  Which is exactly the point. The default install should never be working-and-insecure. It should be secure, and ideally it should be working. If it is not possible for the default install to be both useful and secure, as appears to be the case with memcached, then it should install only listening on localhost and require explicit intervention by the user to accept connections from other hosts.
  If you can install it and have it work by default, then there is no reason for the user to bother reading the manual, so they won't learn that it needs to be specially configured to be secure. If the default is secure but not particularly useful, then the user needs to explicitly adjust the setting that makes it insecure, and in so doing needs to read the documentation explaining that this will make it insecure and how to mitigate it.
  
  --
  I am TheRaven on Soylent News
More Boiled and Distilled. by SuperKendall · 2010-08-06 18:27 · Score: 5, Insightful

Memcache allows anyone to overwrite a cache instance. Seriously? It does not authenticate a write to the cache? And they didn't see this as a problem when desgining memcache? Really?
Anyone can write on your underwear too, if you are stupid enough to wear it outside your pants.
Is that an underwear design flaw?

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:More Boiled and Distilled. by Farmer+Tim · 2010-08-06 18:33 · Score: 5, Insightful
  
  Best. Analogy. Ever.
  
  --
  Blank until /. makes another boneheaded UI decision.
Re:Admin or distro? by TheRaven64 · 2010-08-06 22:24 · Score: 4, Insightful

default to INDRR_ANY
And this is why they're to blame. Default should be the loopback, and enabling external access should require explicit configuration.

--
I am TheRaven on Soylent News