Secure Zimbra Server from Memcached Attack

Memcached vulnerability made big fuss this year. Zimbra  use Memcached for distributed memory caching on proxy environment. Out of the box  Zimbra act as open Memcached proxy by listening  and responding to all requests.

Checking Vulnerability

To check whether your server is vulnerable .

Telnet from outside network. If following respond blank screen than its vulnerable

 telnet <IP of zimbra server> 11211

or run Nmap from outside network

nmap <IP of zimbra server> -p 11211 --script memcached-info

Sample Nmap result of vulnerable server

Memcached vulnerable server

Mitigation

Any one of following method can be used

  1. If the server behind a firewall drop all incoming/outgoing connection on TCP/UDP  port 11211 from untrusted to DMZ zone.
  2. If  the server isn’t under firewall, you are running netfilter you can use following iptables rule.
iptables -I INPUT -p udp -s 127.0.0.1 --dport 11211 -j ACCEPT 
iptables -I INPUT -p tcp -s 127.0.0.1 --dport 11211 -j ACCEPT 
iptables -I INPUT -p udp --dport 11211 -j DROP 
iptables -I INPUT -p tcp --dport 11211 -j DROP
service iptables save

3. If you don’t want you use none of above, you can just make Zimbra Memcached service listen to localhost only

su - zimbra
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedBindAddress 127.0.0.1 
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedClientServerList 127.0.0.1
zmmemcachedctl restart

Before status

Before status

After status

After status

 

Verification

Run the same Nmap script again. It should look like this

nmap verification

 

References :

  1. https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack
  2. https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.