mirror of
https://github.com/LCTT/TranslateProject.git
synced 2024-12-26 21:30:55 +08:00
translated
This commit is contained in:
firmianay
parent
8ecd6ad64d
commit
e591c3499b
@ -1,60 +0,0 @@
|
||||
Translating---firmianay
|
||||
|
||||
70,000 Memcached Servers Can Be Hacked Using Eight-Month-Old Flaws
|
||||
============================================================
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Eight months after three critical vulnerabilities were fixed in the memcached open source caching software, there are over 70,000 caching servers directly exposed on the internet that have yet to be patched. Hackers could execute malicious code on them or steal potentially sensitive data from their caches, security researchers warn.
|
||||
|
||||
[Memcached][1] is a software package that implements a high performance caching server for storing chunks of data obtained from database and API calls in RAM. This helps speed up dynamic web applications, making it well suited for large websites and big-data projects.
|
||||
|
||||
While memcached is not a database replacement, the data it stores in RAM can include user sessions and other sensitive information from database queries. As such, the server was not designed to be directly exposed to untrusted environments like the internet, even though some of the more recent versions support basic authentication.
|
||||
|
||||
Back in October, the memcached developers fixed three remote code execution vulnerabilities ([CVE-2016-8704][2], [CVE-2016-8705][3] and [CVE-2016-8706][4]) that were found and reported by security researchers from [Cisco Systems’ Talos division][5]. All of these flaws affected memcached’s binary protocol for storing and retrieving data and one of them was in the [Simple Authentication and Security Layer ][6](SASL) implementation.
|
||||
|
||||
Throughout December and January several groups of attackers wiped data from tens of thousands of publicly exposed databases including MongoDB, CouchDB, Hadoop and Elasticsearch clusters. In many cases they asked server administrators for money to return the data, but there was no evidence they actually copied it.
|
||||
|
||||
The Talos researchers thought that memcached servers might be the next target, especially giving the flaws they had identified a few months earlier, so in February they decided to run a series of internet scans to determine the potential attack surface.
|
||||
|
||||
The scan results revealed that around 108,000 memcached servers were directly exposed to the internet and only 24,000 of them required authentication. The fact that so many servers were publicly accessible without authentication was bad enough, but when they also tested for the presence of the three vulnerabilities, they found that only 200 servers requiring authentication actually had the October patches deployed. All the rest were open to hacking through the SASL vulnerability.
|
||||
|
||||
Overall, 85,000 or around 80 percent of all memcached servers exposed to the internet lacked the security fixes for the three critical flaws announced in October.
|
||||
|
||||
Troubled by the poor patch adoption rate, the Talos researchers decided to run whois queries on the IP addresses of all of those servers and send notification emails to their owners.
|
||||
|
||||
Earlier this month the researchers decided to redo their scans. They found that there are still 106,000 memcached servers exposed to the internet, although 28,500 have different IP addresses than the ones found in February.
|
||||
|
||||
Of these 106,000 servers, 73,400 or around 70 percent continue to be vulnerable to the three exploits patched in October. Over 18,000 of the identified servers require authentication and 99 percent of those continue to have the SASL vulnerability.
|
||||
|
||||
Even after sending tens of thousands of notification emails, the patch adoption rate improved by only 10 percent in six months.
|
||||
|
||||
“The severity of these types of vulnerabilities cannot be understated,” the Talos researchers said Monday in a [blog post][7]. “These vulnerabilities potentially affect a platform that is deployed across the internet by small and large enterprises alike. With the recent spate of worm attacks leveraging vulnerabilities this should be a red flag for administrators around the world. If left unaddressed the vulnerabilities could be leveraged to impact organizations globally and impact business severely.”
|
||||
|
||||
The conclusions of this exercise suggest that many web application owners do a poor job of safeguarding their users’ data. First, a surprisingly large number of memcached servers are directly exposed to the internet and the majority of them do not use authentication. The data cached on these servers is at risk even without the presence of any vulnerabilities.
|
||||
|
||||
Second, even when critical vulnerabilities that could be used to completely compromise servers are patched, many server administrators don’t apply the security fixes in a timely manner, if ever.
|
||||
|
||||
Under these circumstances, seeing large scale attacks against memcached servers like those that targeted MongoDB databases would not be surprising.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://thenewstack.io/70000-memcached-servers-can-hacked-using-eight-month-old-flaws/
|
||||
|
||||
作者:[Lucian Constantin ][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://thenewstack.io/author/lucian/
|
||||
[1]:https://memcached.org/
|
||||
[2]:https://www.talosintelligence.com/reports/TALOS-2016-0219/
|
||||
[3]:https://www.talosintelligence.com/reports/TALOS-2016-0220/
|
||||
[4]:https://www.talosintelligence.com/reports/TALOS-2016-0221/
|
||||
[5]:https://www.talosintelligence.com/
|
||||
[6]:https://tools.ietf.org/html/rfc4422
|
||||
[7]:http://blog.talosintelligence.com/2017/07/memcached-patch-failure.html
|
||||
[8]:https://thenewstack.io/author/lucian/
|
||||
@ -0,0 +1,57 @@
|
||||
漏洞修复八个月后仍有超过 70,000 台 Memcached 服务器面临危险
|
||||
============================================================
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
在开源缓存软件 memcached 修复了三个关键漏洞的八个月之后,仍有超过 70,000 台未打补丁的缓存服务器直接暴露在互联网上。安全研究员警告说,黑客可能会在服务器上执行恶意代码或从其缓存中窃取潜在的敏感数据。
|
||||
|
||||
[Memcached][1] 是一个实现了高性能缓存服务的软件包,用于存储从数据库和 ARM 中获取的数据块。这有助于提高动态 Web 应用程序的速度,使其更加适合大型网站和大数据项目。
|
||||
|
||||
虽然 memcached 不是数据库的替代品,但它存储在 RAM 中的数据包括来自数据库查询的用户会话和其他敏感信息。因此,服务器的设计不能直接暴露在互联网等不受信任的环境中,最新的版本已经支持了基本的身份验证。
|
||||
|
||||
去年 10 月份,memcached 的开发者修复了由 [思科 Talos 部门][5] 安全研究员发现并报告的三个远程代码执行漏洞([CVE-2016-8704][2],[CVE-2016-8705][3] 和 [CVE-2016-8706][4])。所有这些漏洞都影响到了 memcached 用于存储和检索数据的二进制协议,其中一个漏洞在 [Simple Authentication and Security Layer ][6](SASL) 中实现。
|
||||
|
||||
在去年 12 月到今年 1 月期间,成队的攻击者从数万个公开的数据库中擦除数据,包括 MongoDB,CouchDB,Hadoop 和 Elasticsearch 集群。在很多情况下,攻击者对希望恢复数据的服务器管理员进行勒索,然而没有任何证据表明他们的确对删除数据进行了复制。
|
||||
|
||||
Talos 的研究人员认为, memcached 服务器可能是下一个被攻击的目标,特别是在几个月前发现了漏洞之后。所以在二月份他们决定进行一系列的互联网扫描来确定潜在的攻击面。
|
||||
|
||||
扫描结果显示,大约有 108,000 个 memcached 服务器直接暴露在互联网上,其中只有 24,000 个服务器需要身份验证。如此多的服务器在没有身份验证的情况下可以公开访问已经足够糟糕,但是当他们对所提交的三个漏洞进行测试时,他们发现只有 200 台需要身份验证的服务器部署了 10 月的补丁。其他的所有服务器都可能通过 SASL 漏洞进行攻击。
|
||||
|
||||
总的来说,暴露于互联网上的 memcached 服务器有 85,000 个或大约 80% 都没有对 10 月份的三个关键漏洞进行安全修复。
|
||||
|
||||
由于补丁的采用率不佳,Talos 的研究人员决定对所有这些服务器的 IP 地址进行 whois 查询,并向其所有者发送电子邮件通知。
|
||||
|
||||
本月初,研究人员决定再次进行扫描。他们发现,虽然有 28,500 台服务器的 IP 地址与 2 月份时的地址不同,但仍然有 106,000 台 memcached 服务器暴露在因特网上。
|
||||
|
||||
在这 106,000 台服务器中,有 73,400 台或大约 70% 的服务器在 10 月份修复的三个漏洞的测试中仍然受到攻击。超过 18,000 个已识别的服务器需要身份验证,其中 99% 的服务器仍然存在 SASL 漏洞。
|
||||
|
||||
即便是发送了成千上万封电子邮件进行通知,补丁的采用率仅仅提高了 10%。
|
||||
|
||||
Talos 研究人员在周一的[博客][7]中表示:“这些漏洞的严重程度不能被低估。这些漏洞可能会影响到小型和大型企业在互联网上部署的平台,随着最近大量的蠕虫利用漏洞进行攻击,应该为全世界的服务器管理员敲响警钟。如果这些漏洞没有修复,就可能被利用,对组织和业务造成严重的影响。”
|
||||
|
||||
这项工作的结论表明,许多网络应用程序的所有者在保护用户数据方面做得不好。首先,大量的 Memcached 服务器直接暴露在互联网上,其中大多数都没有使用身份验证。即使没有任何漏洞,这些服务器上缓存的数据也存在着安全风险。
|
||||
|
||||
其次,即使提供了关键漏洞的补丁,许多服务器管理员也不会及时地进行修复。
|
||||
|
||||
在这种情况下,看到 memcached 服务器像 MongoDB 数据库一样被大规模攻击也并不奇怪。
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://thenewstack.io/70000-memcached-servers-can-hacked-using-eight-month-old-flaws/
|
||||
|
||||
作者:[Lucian Constantin ][a]
|
||||
译者:[firmianay](https://github.com/firmianay)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://thenewstack.io/author/lucian/
|
||||
[1]:https://memcached.org/
|
||||
[2]:https://www.talosintelligence.com/reports/TALOS-2016-0219/
|
||||
[3]:https://www.talosintelligence.com/reports/TALOS-2016-0220/
|
||||
[4]:https://www.talosintelligence.com/reports/TALOS-2016-0221/
|
||||
[5]:https://www.talosintelligence.com/
|
||||
[6]:https://tools.ietf.org/html/rfc4422
|
||||
[7]:http://blog.talosintelligence.com/2017/07/memcached-patch-failure.html
|
||||
Loading…
Reference in New Issue
Block a user