chef-cookbooks icon indicating copy to clipboard operation
chef-cookbooks copied to clipboard

Published 20 hours ago verified publisher icon rcbops

[memcached-openstack] Secure Memcached

Open claco opened this issue 10 years ago • 1 comments

This is from the internal security review recommendations. This may not be possible due to HA installs which need more than localhost bindings. We can investigate other methods of securing the ports (stunnel, stud, iptables, etc) or we can document this as a known issue with no workaround and let the security audit folks know.

Severity: Medium

Description / Exploit: RPC installs memcached and binds it to a routable interface, leaving it exposed for anyone on the network to read/write/delete from memcached.

Impact: Unauthorized users could read/write/delete from the memcached instance.

Systems Vulnerable: 198.101.133.210:11211

Suggested Mitigation: We recommend that memcached initially listens to localhost so prevent any unauthorized reads/writes/deletes. A customer could open up memcached to the necessary systems afterwards. Change /etc/memcached.conf to have the option of: -l 127.0.0.1

Further References: No references given

Affects:

cookbooks/horizon/templates/default/local_settings.py.erb
88:#        'LOCATION' : '127.0.0.1:11211',

cookbooks/memcached/metadata.rb
32:          :default      => '11211'

cookbooks/memcached/templates/default/memcached.conf.erb
28:# Default connection port is 11211

cookbooks/memcached-openstack/attributes/default.rb
1:default["memcached"]["services"]["cache"]["port"] = 11211

cookbooks/swift/templates/default/proxy-server.conf.erb
130:# commas, as in: 10.1.2.3:11211,10.1.2.4:11211
131:# memcache_servers = 127.0.0.1:11211

claco avatar Mar 17 '14 18:03 claco

I think it'd be useful as a start to know where memcached is used and how it's used.

I know that Horizon uses it, but it's fine for it to only use a localhost binding as the LB keeps the client sticky to the same web server.

As I recall Swift uses it too, but there it needs to be shared between the swift-proxy servers I think. (It's been a while since I've had to work with Swift all that actively) Perhaps a simple solution for these uses cases is to implement an iptables rule to block access to the port from any IP's which are unauthorised? That'll be a lot simpler than tunneling.

odyssey4me avatar Mar 26 '14 12:03 odyssey4me