Ubuntu
memcached package

memcached should disable UDP by default

Bug #1752831 reported by Hanno Böck
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
memcached (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Steve Beattie
Xenial
Fix Released
Undecided
Steve Beattie
Artful
Fix Released
Undecided
Steve Beattie

Bug Description

Memcached is currently involved in some massive ddos attacks, see e.g.:
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

The UDP protocol of memcached can be abused for very effective DDoS amplification attacks and should therefore be considered dangerous.
Upstream memcached has reacted to this by disabling UDP by default:
https://github.com/memcached/memcached/wiki/ReleaseNotes156

In Ubuntu memcached by default only listens to 127.0.0.1, but enables UDP. While the localhost-only protects default settings, it's still only a minor change away from creating an effective DDoS tool for a protocol that is hardly in use today. I recommend that Ubuntu backports the upstream change and disables UDP by default.

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package memcached - 1.5.4-1ubuntu3

---------------
memcached (1.5.4-1ubuntu3) bionic; urgency=medium

  * SECURITY UPDATE: disable listening on UDP port by default due to
    use in DDoS amplification attacks
    - debian/patches/disable-udp-by-default.patch: disable UDP port by
      default. (LP: #1752831)
    - debian/NEWS: add explanation and document how to re-enable UDP if
      necessary.

 -- Steve Beattie <email address hidden> Fri, 02 Mar 2018 10:24:18 -0800

Changed in memcached (Ubuntu):
status: New → Fix Released
Steve Beattie (sbeattie)
Changed in memcached (Ubuntu Trusty):
status: New → Triaged
Changed in memcached (Ubuntu Xenial):
status: New → Triaged
Changed in memcached (Ubuntu Artful):
status: New → Triaged
Changed in memcached (Ubuntu Trusty):
assignee: nobody → Steve Beattie (sbeattie)
Changed in memcached (Ubuntu Xenial):
assignee: nobody → Steve Beattie (sbeattie)
Changed in memcached (Ubuntu Artful):
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Hanno Böck (hanno-hboeck) wrote :

This got CVE-2018-1000115 assigned.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package memcached - 1.4.33-1ubuntu3.2

---------------
memcached (1.4.33-1ubuntu3.2) artful-security; urgency=medium

  * SECURITY UPDATE: denial of service due to integer overflow
    - debian/patches/CVE-2017-9951.patch: check for integer overflow on
      key requests
    - CVE-2017-9951
  * SECURITY UPDATE: disable listening on UDP port by default due to
    use in DDoS amplification attacks
    - debian/patches/disable-udp-by-default.patch: disable UDP port by
      default. (LP: #1752831)
    - debian/NEWS: add explanation and document how to re-enable UDP if
      necessary.
    - CVE-2018-1000115
  * debian/patches/fix-compiler-warning.patch: fix compilation warning
    with gcc-7 that causes FTBFS.
  * debian/rules: disable tests on armhf, to prevent the build hanging.

 -- Steve Beattie <email address hidden> Mon, 05 Mar 2018 01:29:48 -0800

Changed in memcached (Ubuntu Artful):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package memcached - 1.4.25-2ubuntu1.3

---------------
memcached (1.4.25-2ubuntu1.3) xenial-security; urgency=medium

  * SECURITY UPDATE: denial of service due to integer overflow
    - debian/patches/CVE-2017-9951.patch: check for integer overflow on
      key requests
    - CVE-2017-9951
  * SECURITY UPDATE: disable listening on UDP port by default due to
    use in DDoS amplification attacks
    - debian/patches/disable-udp-by-default.patch: disable UDP port by
      default. (LP: #1752831)
    - debian/NEWS: add explanation and document how to re-enable UDP if
      necessary.
    - CVE-2018-1000115

 -- Steve Beattie <email address hidden> Mon, 05 Mar 2018 01:08:38 -0800

Changed in memcached (Ubuntu Xenial):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package memcached - 1.4.14-0ubuntu9.2

---------------
memcached (1.4.14-0ubuntu9.2) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service due to integer overflow
    - debian/patches/CVE-2017-9951.patch: check for integer overflow on
      key requests
    - CVE-2017-9951
  * SECURITY UPDATE: disable listening on UDP port by default due to
    use in DDoS amplification attacks
    - debian/patches/disable-udp-by-default.patch: disable UDP port by
      default. (LP: #1752831)
    - debian/NEWS: add explanation and document how to re-enable UDP if
      necessary.
    - CVE-2018-1000115

 -- Steve Beattie <email address hidden> Mon, 05 Mar 2018 02:10:59 -0800

Changed in memcached (Ubuntu Trusty):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.