PublicDateAtUSN: 2018-03-05
Candidate: CVE-2018-1000115
PublicDate: 2018-03-05 14:29:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000115
 https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
 https://github.com/memcached/memcached/wiki/ReleaseNotes156
 https://ubuntu.com/security/notices/USN-3588-1
Description:
 Memcached version 1.5.5 contains an Insufficient Control of Network Message
 Volume (Network Amplification, CWE-406) vulnerability in the UDP support of
 the memcached server that can result in denial of service via network flood
 (traffic amplification of 1:50,000 has been reported by reliable sources).
 This attack appear to be exploitable via network connectivity to port 11211
 UDP. This vulnerability appears to have been fixed in 1.5.6 due to the
 disabling of the UDP protocol by default.
Ubuntu-Description: 
 It was discovered that Memcached listened to UDP by default. A remote
 attacker could use this as part of a distributed denial of service
 attack.
Notes: 
 sbeattie> in Ubuntu (and Debian) memcached is bound to the loppback
   interface by default. However, if memcached is bound to other
   interfaces, the UDP port is still enabled by default.
 sbeattie> Ubuntu update is to disable listening on UDP by default. To
   re-enable UDP, add '-U 11211' to /etc/memcached.conf and restart the
   memcahced service.
Bugs: 
 https://bugs.launchpad.net/bugs/1752831
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891907
Priority: low
Discovered-by:
Assigned-to: 
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_memcached:
upstream_memcached: released (1.5.6)
precise/esm_memcached: DNE
trusty_memcached: released (1.4.14-0ubuntu9.2)
trusty/esm_memcached: DNE (trusty was released [1.4.14-0ubuntu9.2])
xenial_memcached: released (1.4.25-2ubuntu1.3)
esm-infra/xenial_memcached: released (1.4.25-2ubuntu1.3)
artful_memcached: released (1.4.33-1ubuntu3.2)
devel_memcached: not-affected (1.5.4-1ubuntu3)