Cache On Delivery — Memcached Opens an Accidental Security Hole

jamie spotted this eye-opening presentation (here's a longer explanation) about how easy it is to access sensitive data on many sites using memcached, writing "If you already know what memcached is, skim to slide #17. The jaw-drop will happen around slide #33. Turns out many websites expose their totally-non-protected memcached interface to the Internet, including gowalla, bit.ly, and PBS."

Firewall?

[chx1975]

I run my memcacheds behind firewall. I thought that the basic server security rule was that you firewall everything opening ports very cautiously as necessary.

Re:Firewall?

[MikeFM]

My memcached server is on the private network only accessible to other servers and is firewalled to everything but the servers that need access. Not exactly rocket science.

Re:Firewall?

[IICV]

Yeah, slide 52 (paraphrased) is as follows:

Fixes?

1. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW....
2. .....
3. Also, FW

I assume he means "firewalls" by "FW". Seriously, you can't even bother to spell out "firewall" in a presentation?

Re:Firewall?

[PIBM]

Ive been running memcached since it's out, even sent some patches in.

The thing is, why aren't they running this on a private network ?? Memcached is designed to be fast AND non-secure, to be run on your local network. Running it on a server farm with thousands of people having access to your computers and ips is not a private network.

I had heard about people running it on the local interface and still getting problems before (somebody else with the same computer ran it too and forgot to pick the good port and finally used the same key ...) but that's because IT'S NOT BUILT TO BE USED ON AN UNSECURED NETWORK.

Nothing new, bad admins get bad things done to them, move along.

I fail to see why this is news

[OverlordQ]

Much less 'memcached' being at fault. They say it themselves:

Memcached does not spend much, if any, effort in ensuring its defensibility from random internet connections. So you must not expose memcached directly to the internet, or otherwise any untrusted users.

All this is is stupid admins doing stupid things story and those are dime a dozen.

Re:I fail to see why this is news

[Etylowy]

This.

That's what you get for being cheap when hiring security team. Setting up memcached on a public IP or without a firewall is as bad as having your session directory fully writable on a public ftp (and quite similar too).
Memcached is good software and does exactly what it has been designed to do - provides fast key cache - but as with every tool if you are dumb you will hurt yourself. If those admins were carpenters they'd have an average of 4 fingers ;-)

Re:I fail to see why this is news

[TheRaven64]

A good tool is designed in such a way that the correct use is the easiest. Does memcached, for example, default to only accepting connections from the local host and require other IPs to be explicitly added? That would be trivial to implement and, if done, would require the admin to implement something like the correct security policy. In contrast, defaulting to accepting connections from anywhere means that the admin can use it incorrectly without needing to do any thinking, but needs to think before using it correctly.

Re:I fail to see why this is news

You don't need a security team, just a clue.

Re:I fail to see why this is news

[MikeFM]

The difference is that in this case a non-retarded admin can secure things. With Microsoft products it often takes an act of God to secure them (the best security feature of a Windows system is a blue screen of death). And memcached isn't meant to be a public service. It's very plainly described as not being secure. Completely different than a service that is meant to be public such as web or email not being secure.

Re:I fail to see why this is news

[MikeFM]

It defaults to not being installed and running. Memcached is meant to be ran from one or more caching servers (not really on the web server itself). It isn't really meant to be ran on localhost under ideal usage.

Re:I fail to see why this is news

[Enleth]

netstat -lpn seems simple enough. I tend to run it every time I change something in a configuration file of a network-enabled service, just to be sure. It would be irresponsible to do otherwise.

Re:I fail to see why this is news

[vrmlguy]

http://code.google.com/p/memcached/wiki/NewConfiguringServer

Networking
By default memcached listens on TCP and UDP ports, both 11211. -l allows you to bind to specific interfaces or IP addresses. Memcached does not spend much, if any, effort in ensuring its defensibility from random internet connections. So you must not expose memcached directly to the internet, or otherwise any untrusted users. Using SASL authentication here helps, but should not be totally trusted.

From their wiki page detailing how to configure a new server. Surely the part they highlight in bold should have raised a flag to even the dumbest administrator.

Here's an idea that won't impact performance: At startup, issue a big multi-line warning if the IP addresses that are getting bound aren't on a Private Internet:

The Internet Assigned Numbers Authority (IANA) has reserved the
      following three blocks of the IP address space for private internets:

          10.0.0.0 - 10.255.255.255 (10/8 prefix)
          172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
          192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Re:I fail to see why this is news

[nebular]

I believe the point here is that software designers should assume that in terms of security their users are complete idiots and WILL install and setup the program in an unsecure manner unless they are specifically beat over the head with the notion that what they are doing is BAD!

Re:I fail to see why this is news

[TheRaven64]

Which is exactly the point. The default install should never be working-and-insecure. It should be secure, and ideally it should be working. If it is not possible for the default install to be both useful and secure, as appears to be the case with memcached, then it should install only listening on localhost and require explicit intervention by the user to accept connections from other hosts.

If you can install it and have it work by default, then there is no reason for the user to bother reading the manual, so they won't learn that it needs to be specially configured to be secure. If the default is secure but not particularly useful, then the user needs to explicitly adjust the setting that makes it insecure, and in so doing needs to read the documentation explaining that this will make it insecure and how to mitigate it.

Re:I fail to see why this is news

[apoc.famine]

That's like saying knives should be designed to be dull, because users are idiots, and will cut themselves.

It's not in any way the programmer's responsibility to hold the hands of idiots so they don't hurt themselves. The people who wrote this wrote a solid programs, and IN THE DOCS noted that if you set this up like this, you were an idiot.

Come on... we have far too much nanny-state as it is. My coffee has a warning on it that it's hot, my keyboard has a warning on it about RSI, my girlfriends hair straightener has a warning on it that it can burn you because it's hot....do we really need to extend this to software?

I forget who said it, but some comedian said we should remove the warnings from everything, and let nature sort it out. Same for software. If you're not smart enough to run a website, perhaps you need a painful pointing out of that.

Re:I fail to see why this is news

[bjourne]

Yes memcached defaults to only accepting connections from the local address. From memcached.conf:

# Specify which IP address to listen on. The default is to listen on all IP addresses # This parameter is one of the only security measures that memcached has, so make sure # it's listening on a firewalled interface. -l 127.0.0.1

Re:Let me see if I understand this

[Firehed]

Memcache's one purpose in life is to be as fast as possible. It makes perfect sense for it to drop the overhead of authentication and leave it on the server operator's head to not make it publicly accessible. It's not rare to strip out MySQL's authentication layer (and presumably the same for other DBs) for a speedup when your DB server is sitting behind a firewall.

More Boiled and Distilled.

[SuperKendall]

Memcache allows anyone to overwrite a cache instance. Seriously? It does not authenticate a write to the cache? And they didn't see this as a problem when desgining memcache? Really?

Anyone can write on your underwear too, if you are stupid enough to wear it outside your pants.

Is that an underwear design flaw?

Re:More Boiled and Distilled.

[Farmer+Tim]

Best. Analogy. Ever.

Re:More Boiled and Distilled.

[pushing-robot]

As spokesman for the Justice League, I say yes.

Re:More Boiled and Distilled.

[davester666]

No. Car. Was. Involved.

Re:More Boiled and Distilled.

[outsider007]

That's actually more of a feature.

Re:More Boiled and Distilled.

[Farmer+Tim]

That's. Why.

Re:More Boiled and Distilled.

[sjames]

Boiled and distilled underwear....Ewwwww.

A few clarifications

[marcoslaviero]

In terms of the vendors identified, Bit.ly, GoWalla and Pbs were notified. Bit.ly and GoWalla repaired the flaws within minutes. I am not aware of Pbs repairing the issue. This talk seems to have struck a chord which I can't really explain (suggestions welcome). Yes, exposing your memcached's is bad (the talk shows just how bad), but it's not a clever find to discover them. [fd: that's my name on the slides]

Re:A few clarifications

[marcoslaviero]

There's a deeper issue at play here as it relates to shifting apps and platforms away from your own hardware/networks. Developers are now often responsible for deploying apps onto cloud systems where they don't have experience with network-security or the tools for protecting network-based services, and this is an obvious difference from the traditional network/app split that occurs in most corporates. It doesn't help that memcached (by default) binds to * but they do make this pretty clear (also, remote enumeration of the cache is genuinely a debug feature).

Man pages help, but when the defaults don't aid developers we need to a rethink both of the software (memcached) and the systems were it's not running securely (cloud platforms).

Re:A few clarifications

[IAmGarethAdams]

Mostly through rouge employees

Luckily, they often get caught red-handed.

Admin or distro?

[shish]

Debian's default config says:

# Specify which IP address to listen on. The default is to listen on all IP addresses
# This parameter is one of the only security measures that memcached has, so make sure
# it's listening on a firewalled interface.
-l 127.0.0.1

Are there any distros that don't have it locked down by default? I would hope not, but if something has it insecure out of the box with no warning that might explain it... (though a good sysadmin would firewall all internal services, whether the documentation tells them to or not)

Re:Admin or distro?

[TheRaven64]

default to INDRR_ANY

And this is why they're to blame. Default should be the loopback, and enabling external access should require explicit configuration.

Re:Admin or distro?

[Paul+Jakma]

So what if you want to run memcached on a multi-user machine?

It's slightly mad that software like this, which is designed without security, would use TCP per default, instead of local Unix sockets (access to which can be controlled with standard Unix filesystem permissions on the containing directory (careful about relying on permissions on the socket itself have any effect - not portable)). Indeed, it doesn't even seem to support Unix sockets (would be a trivial patch though).

Re:Admin or distro?

[bill_mcgonigle]

Memcached is not meant for single-server configurations

That's silly, it's a generic object store. There's no reason not to use it to cache expensive local operations. Of course it shines across a farm of caches, but the server mapping hash will work just fine with one machine.

If you're a startup with just one webserver and starting to hit performance problems, memcached will likely buy you a few more months.

Going from one server to two is hard, three is a bit more work, and after three it's roughly all the same until you start adding more data centers and then it's all the same until you're Facebook. Taking on that 'hard' expense too early would be a poor allocation of resources.

Re:Let me see if I understand this

I've dealt with a lot of large production databases, Oracle, SQL Server, MySQL, PostgreSQL, and similar. I've never seen the authentication layer striped out. These were pretty performance hungry applications as well, though perhaps not that many quick connections, but still the overhead is so small, that when you're communicating internally, it's generally not a problem. For companies like Google I could see this being a problem, but for MOST instances of these servers, I wouldn't suggest people do it.

At the very least, for that extra micro-second of overhead, it means if some cracker gets into your network, you don't have to worry about that as much (not that you don't have to worry, hell, some crackers in your network!).

Also, wouldn't you at least want to restrict it from employees that shouldn't be fucking with it. Granted companies whose purpose it is to develop this application, likely want almost everyone having access, but most instances you wouldn't want this.

None the less, this is off topic, and the article is retarded.

Re:Let me see if I understand this

[riskeetee]

You don't leave the keys in the Batmobile when it's outside of the cave. That's just asking for trouble.

mysql/ssh/postgres/ftp/etc. opens security hole

[pyalot]

Yeah like... all these open a socket to listen to, and man, if somebody logs into it, they're like, owning your server! Geeze, what where mysql/ssh/postgres/ftp/etc. thinking?!!!

Re:Let me see if I understand this

Jesus Tapdancing Christ, they explicitly say that in the doc(s) where they discuss design decisions. They can't use stunnel or blah or blah2 or blah3?

"It does not authenticate a write to the cache? And they didn't see this as a problem when desgining memcache? Really?"

Yeah, they saw it and they saw their site and their systems and saw that they did not require that feature for themselves - they weren't creating memcache for charity to donate to the world at large - ffs. Say what you want about livejournal but they created a bunch of high performance distributed system tools - gearman, memcache, mogileFS, etc that allowed anyone to build massive social website prior to them, the tools were not there. Now I am sure some smug historical revisionists was come and explain how these things were all built in SNOBOL in the 1950s then reinvented in Java as apache foundation project with simple 12,000 line xml config files that future generations will claim are alien code for time travel devices but those historical revisionists would be dead wrong.

Re:Let me see if I understand this

[PIBM]

It's open source, if you want to add a layer of protection, go away. For the rest of us, we are using memcached for maximum speed, no such thing in.

Lets say you add a layer of protection to your memcache, it now requires a password to get in. The hacker is in your network, so he can sniff those packets. Where's your protection ? Ok, lets say you add in some crypto to prevent sniffing attack. He's in your network, on your computers, reading your files. He then parse your code and grab the password.

So, what have you been able to achieve exactly ? Nothing beside slow downs everyone downs. People should just learn to use the tools at their disposal. And yes, you can kill yourself with a car. Should we lock them all down to 10mph ?

For the parent, here's memcached help. Notice that even if it's ADRANY, you have it in your face should you be on an unsecure network. And besides, locking it to your ip won't prevent someone inside your network from getting the content.

  memcached -help
memcached 1.2.6
-p TCP port number to listen on (default: 11211)
-U UDP port number to listen on (default: 0, off)
-s unix socket path to listen on (disables network support)
-a access mask for unix socket, in octal (default 0700)
-l interface to listen on, default is INDRR_ANY
-d run as a daemon
-r maximize core file limit
-u assume identity of (only when run as root)
-m max memory to use for items in megabytes, default is 64 MB
-M return error on memory exhausted (rather than removing items)
-c max simultaneous connections, default is 1024
-k lock down all paged memory. Note that there is a
                            limit on how much memory you may lock. Trying to
                            allocate more than that would fail, so be sure you
                            set the limit correctly for the user you started
                            the daemon with (not for -u user;
                            under sh this is done with 'ulimit -S -l NUM_KB').
-v verbose (print errors/warnings while in event loop)
-vv very verbose (also print client commands/reponses)
-h print this help and exit
-i print memcached and libevent license
-b run a managed instanced (mnemonic: buckets)
-P save PID in , only used with -d option
-f chunk size growth factor, default 1.25
-n minimum space allocated for key+value+flags, default 48

Food Analogy

[TimTucker]

Think of it like this:

System that is never intended to be secure: plastic apple with a warning label stating "THIS IS NOT FOOD"

System that should be secure, but isn't: apple full of worms

You're not going to have a good experience biting into either apple, but there's definitely a difference in the expectations that someone would have when looking at them.

Re:In that case...

[Zancarius]

Note that your point stands on the "if configured incorrectly" while the parent's is "it should be distrubuted on such a state that the sysadmin would be forced to do *any* kind of configuration prior for it to work" (thus giving the option to even "configure" it, either correctly or incorrectly).

No, you're just splitting hairs. My point is that software can be configured incorrectly and that it isn't the developers' fault if that happens. I believe the parent's point of view (and the general view espoused further up the comment chain) was that software should be distributed in such a manner that it cannot be configured insecurely. I'm hoping I just misunderstood what you wrote and that you were simply disagreeing for the sake of, well, disagreement. Or trolling. Regardless, I'd encourage you to read up the chain so you may better understand my point (the parent was just convenient fodder since his view was mentioned numerous times, and I got fed up with this notion that it's the responsibility of the developers to ensure no configuration can be abused).

N.B. that if I were to split hairs, I'd point out that your comment that implies (I think? You may have missed a word or two while typing it out) that sysadmins shouldn't be forced to do anything to make a particular software install work. That's a fairly short order--almost all software works out of the box as expected, but whether it works securely across all "default" installs is another matter entirely and one that, again, is the responsibility of the user to verify. But the point goes far beyond that, and I'm somewhat disappointed that you seem to agree with the general sentiment that post-install configuration should almost never happen except in rare outlying circumstances (hint: this isn't likely to happen, particularly with the vast array of requirements, disparate hardware, and so forth). Note, also, that if this notion of "secure by default" is taken to the extreme, you wind up with OpenBSD. OpenBSD is secure by default. You also cannot use it without installing and configuring additional software (thus no longer having a "default" install), because it comes with only OpenSSH installed by default! In other words, we're just encountering a difference of philosophies, and I ascribe to the one that makes the burden of configuration your responsibility as a user, not mine as a developer.

And really, this point it doesn't matter at all, because someone will still find a way to configure it incorrectly, regardless of how well it was written (don't believe me? you'd be surprised what lurks out there in the wild) or how strict the default configuration is. There are people out there who will tinker with things, including things they may not fully understand, and configure it in a manner that is suddenly insecure. That is my fundamental point; the point of the OP and those subsequently up the chain is that the responsibility should rest upon the shoulders of the developers to ensure their software cannot be configured incorrectly--that's the whole point many of the posts here are arguing against Memcached for! There seems to be so much heartache that Memcached (which doesn't require authentication) can be configured in a manner that it exposes sensitive data to the Interwebs. Guess what? If it does, that is the fault of the administrator and not the fault of Memcached or its developers.

I'm not sure how else to state that more clearly. But I'll try:

Responsibility rests on the person who installs the software to ensure it is configured securely for their needs, not the developers nor the package maintainers. The only point in time, IMO, where such responsibility is the developers' is when it becomes an issue of out-of-band behavior; e.g. something that is unexpected and unintended (a bug or security flaw) and not fundamentally something that is the result of a misconfiguration. In short:

Misconfigurations = user's responsibility (even if t