Memcached vulnerability made big fuss this year. Zimbra use Memcached for distributed memory caching on proxy environment. Out of the box Zimbra act as open Memcached proxy by listening and responding to all requests.
Checking Vulnerability
To check whether your server is vulnerable .
Telnet from outside network. If following respond blank screen than its vulnerable
telnet <IP of zimbra server> 11211
or run Nmap from outside network
nmap <IP of zimbra server> -p 11211 --script memcached-info
Sample Nmap result of vulnerable server
Mitigation
Any one of following method can be used
- If the server behind a firewall drop all incoming/outgoing connection on TCP/UDP port 11211 from untrusted to DMZ zone.
- If the server isn’t under firewall, you are running netfilter you can use following iptables rule.
iptables -I INPUT -p udp -s 127.0.0.1 --dport 11211 -j ACCEPT iptables -I INPUT -p tcp -s 127.0.0.1 --dport 11211 -j ACCEPT iptables -I INPUT -p udp --dport 11211 -j DROP iptables -I INPUT -p tcp --dport 11211 -j DROP service iptables save
3. If you don’t want you use none of above, you can just make Zimbra Memcached service listen to localhost only
su - zimbra /opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedBindAddress 127.0.0.1 /opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedClientServerList 127.0.0.1 zmmemcachedctl restart
Before status
After status
Verification
Run the same Nmap script again. It should look like this
References :
- https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack
- https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
Thanks you, very usefull post, this help me alot.