Hey Webmasters, are you using Memcached to boost the performance of your website?

Beware! It might be vulnerable to remote hackers.

Three critical Remote Code Execution vulnerabilities have been reported in Memcached by security researcher Aleksandar Nikolich at Cisco Talos Group that expose major websites, including Facebook, Twitter, YouTube, Reddit, to hackers.

Memcached is a fabulous piece of open-source distributed caching system that allows objects to be stored in memory. It has been designed to speed up dynamic web applications by reducing stress on the database that helps administrators to increase performance and scale web applications.

Memcached is widely used by thousands upon thousands of websites, including popular social networking sites such as Facebook, Flickr, Twitter, Reddit, YouTube, Github, and many more.

Nikolich says that he discovered multiple integer overflow bugs in Memcached that could be exploited to remotely run arbitrary code on the targeted system, thereby compromising the many websites that expose Memcache servers accessible over the Internet.

The vulnerabilities actually reside in "various Memcached functions that are used in inserting, appending, prepending, or modifying key-value data pairs."
  • CVE-2016-8704: Memcached Server Append/Prepend Remote Code Execution Vulnerability
  • CVE-2016-8705: Memcached Server Update Remote Code Execution Vulnerability
  • CVE-2016-8706: Memcached Server SASL Authentication Remote Code Execution Vulnerability

Hackers Can Remotely Steal Sensitive Information

If exploited, the vulnerabilities could allow attackers to send repeat specifically-crafted Memcached commands to the targeted servers.

Moreover, the flaws could also be exploited to leak sensitive process information that can further be used to bypass standard exploitation mitigations, like ASLR (Address Space Layout Randomisation), making the attacks reliable and considerably "severe."

By default, Memcached service installed on your server is available to the world on TCP port 11211, so it has always been strongly recommended to limit its access within a trusted environment, behind the firewall.

So, if you have not yet updated your software to the latest release and Memcached service is publically accessible, an attacker can simply exploit these vulnerabilities to remotely steal sensitive information cached by the server without your knowledge.

What's even worse? These flaws could allow hackers to replace cached content with their malicious one in order to deface the website, serve phishing pages and malicious links to hijack victim's machine, placing hundreds of millions of online users at risk.

Patch your Memcached Server Now!

The integer overflow flaws in Memcached affect Memcached version 1.4.31 and earlier.

The researcher notified Memcached of the flaws and the company only took two days to build a patch on 31st October.

Memcached says the critical remote code execution flaws "are related to the binary protocol as well as SASL authentication of the binary protocol," but has been fixed in the latest release.

Customers are advised to apply the patch even to Memcached deployments in "trusted" environments, as attackers with existing access could target vulnerable servers to move laterally within those networks.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.