Pathetic patching leaves over 70,000 Memcached servers still up for grabs

If you're running the caching service Memcached, and particularly if you're exposing it to the public internet for some reason, please make sure you've patched it. Tens of thousands of vulnerable systems haven't.

Back in October, researchers at Cisco’s Talos security team found three major security vulnerabilities that would allow hackers easy access to running installations of version 1.4.31 of Memcached and earlier, with a critical flaw in the binary protocol and Simple Authentication and Security Layer (SASL) code. The holes were fixed, and users including big names like Facebook and Reddit were advised to get patching.

But from scans of the public internet, it seems that some people weren't listening very hard. In February, Cisco did a sweep and found that:

• More than 85,000 public-facing instances were still unpatched and vulnerable.
• Only 22 per cent required any authentication for access.
• Of that 22 per cent, all but one per cent of the authenticated servers were not secure because patches hadn’t been properly installed.

“We made queries for all IP addresses to get contact emails for responsible organizations in order to send a notification with a simple explanation and suggestions to remedy this issue,” Cisco said. “This resulted in about 31 thousand unique emails which are pending notifications.”

Now you might think that – given the sensitive information many Memcached servers hold – Cisco’s warning emails might have had a beneficial effect on taking such systems off the public internet. Not so, as a scan earlier this month found a colossal number of servers still online and wide open.

In the five months since the warning emails were sent out, fewer than 10 per cent of vulnerable servers had been patched and hidden from view. Still vulnerable were 73,403 servers, and of those using authentication, only one per cent were properly patched.

“The severity of these types of vulnerabilities cannot be overstated,” said Cisco’s Talos team.

“These vulnerabilities potentially affect a platform that is deployed across the internet by small and large enterprises alike. With the recent spate of worm attacks leveraging vulnerabilities, this should be a red flag for administrators around the world.” ®