Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Databases IT

Cache On Delivery — Memcached Opens an Accidental Security Hole 149

Posted by timothy from the everything-has-a-downside dept.
jamie spotted this eye-opening presentation (here's a longer explanation) about how easy it is to access sensitive data on many sites using memcached, writing "If you already know what memcached is, skim to slide #17. The jaw-drop will happen around slide #33. Turns out many websites expose their totally-non-protected memcached interface to the Internet, including gowalla, bit.ly, and PBS."
This discussion has been archived. No new comments can be posted.

Cache On Delivery — Memcached Opens an Accidental Security Hole More

Cache On Delivery — Memcached Opens an Accidental Security Hole

Comments Filter:

  • Re:Firewall? (Score:5, Interesting)

    by IICV ( 652597 ) on Saturday August 07, 2010 @02:16AM (#33171886)

    Yeah, slide 52 (paraphrased) is as follows:

    Fixes?

    1. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW. FW....
    2. .....
    3. Also, FW

    I assume he means "firewalls" by "FW". Seriously, you can't even bother to spell out "firewall" in a presentation?

  • Admin or distro? (Score:5, Interesting)

    by shish ( 588640 ) on Saturday August 07, 2010 @03:12AM (#33172012) Homepage

    Debian's default config says:

    # Specify which IP address to listen on. The default is to listen on all IP addresses
    # This parameter is one of the only security measures that memcached has, so make sure
    # it's listening on a firewalled interface.
    -l 127.0.0.1

    Are there any distros that don't have it locked down by default? I would hope not, but if something has it insecure out of the box with no warning that might explain it... (though a good sysadmin would firewall all internal services, whether the documentation tells them to or not)

  • Re:A few clarifications (Score:5, Interesting)

    by marcoslaviero ( 1873058 ) on Saturday August 07, 2010 @05:11AM (#33172182)
    There's a deeper issue at play here as it relates to shifting apps and platforms away from your own hardware/networks. Developers are now often responsible for deploying apps onto cloud systems where they don't have experience with network-security or the tools for protecting network-based services, and this is an obvious difference from the traditional network/app split that occurs in most corporates. It doesn't help that memcached (by default) binds to * but they do make this pretty clear (also, remote enumeration of the cache is genuinely a debug feature).

    Man pages help, but when the defaults don't aid developers we need to a rethink both of the software (memcached) and the systems were it's not running securely (cloud platforms).

  • Re:Admin or distro? (Score:3, Interesting)

    by Paul Jakma ( 2677 ) on Saturday August 07, 2010 @06:50AM (#33172464) Homepage Journal

    So what if you want to run memcached on a multi-user machine?

    It's slightly mad that software like this, which is designed without security, would use TCP per default, instead of local Unix sockets (access to which can be controlled with standard Unix filesystem permissions on the containing directory (careful about relying on permissions on the socket itself have any effect - not portable)). Indeed, it doesn't even seem to support Unix sockets (would be a trivial patch though).

  • Re:I fail to see why this is news (Score:3, Interesting)

    by Enleth ( 947766 ) <enleth@enleth.com> on Saturday August 07, 2010 @07:57AM (#33172622) Homepage

    netstat -lpn seems simple enough. I tend to run it every time I change something in a configuration file of a network-enabled service, just to be sure. It would be irresponsible to do otherwise.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close