SECURITY PROBLEM: Open Memcached in Zimbra 8.6.0_GA_1153

General discussion about Zimbra Desktop.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

SECURITY PROBLEM: Open Memcached in Zimbra 8.6.0_GA_1153

Postby jorgedlcruz » Tue Jan 20, 2015 5:48 am

Hi mo23,


I've opened a Bug and you can add yourself to keep posted, and also vote for it - https://bugzilla.zimbra.com/show_bug.cgi?id=97404



Best regards



Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
mo23
Posts: 3
Joined: Mon Jan 19, 2015 9:10 am

SECURITY PROBLEM: Open Memcached in Zimbra 8.6.0_GA_1153

Postby mo23 » Tue Jan 20, 2015 5:51 am

Top thx!
User avatar
msquadrat
Advanced member
Advanced member
Posts: 166
Joined: Mon Oct 14, 2013 10:09 am

SECURITY PROBLEM: Open Memcached in Zimbra 8.6.0_GA_1153

Postby msquadrat » Tue Jan 20, 2015 9:42 am

The Ports wiki page is a good start but IMHO that information should be in the Admin Guide (probably in an appendix) with an exact documentation of which Zimbra service/package requires access to which other package and which port. Also, the options to change those ports should be included.


For example in this case:
























from


toportdefault
zimbra-proxyzimbra-memcachedzimbraMemcachedPort11211
zimbra-storezimbra-memcachedzimbraMemcachedPort11211

(Surprised about the latter one? I was so as well in bug 90012.)

itq_kris
Posts: 1
Joined: Sat Jan 23, 2016 5:32 am

SECURITY PROBLEM: Open Memcached in Zimbra 8.6.0_GA_1153

Postby itq_kris » Sat Jan 23, 2016 5:35 am

Solution :

nano "/opt/zimbra/bin/zmmemcachedctl"

search line ( line 70 ) : /opt/zimbra/${servicename}/bin/${servicename} -d -P ${pidfile}



and changed to /opt/zimbra/${servicename}/bin/${servicename} -d -l 127.0.0.1 -P ${pidfile}



Result :



lsof -i -n -P | grep mem

memcached 7976 zimbra 26u IPv4 60941 0t0 TCP 127.0.0.1:11211 (LISTEN)

memcached 7976 zimbra 27u IPv4 60942 0t0 UDP 127.0.0.1:11211
User avatar
tonster
Zimbra Employee
Zimbra Employee
Posts: 303
Joined: Fri Feb 21, 2014 10:14 am
Location: Ypsilanti, MI
ZCS/ZD Version: Release 8.7.0_GA_1659.RHEL6_64_2016

SECURITY PROBLEM: Open Memcached in Zimbra 8.6.0_GA_1153

Postby tonster » Sat Jan 23, 2016 8:26 am

This is not a proper solution. The proper solution is to maintain a proper firewall, as with many other ports that zimbra uses that shouldn't generally be open publicly, like lmtp and ldap.
KualoCraig
Posts: 1
Joined: Tue Nov 14, 2017 1:23 am

Re: SECURITY PROBLEM: Open Memcached in Zimbra 8.6.0_GA_1153

Postby KualoCraig » Tue Nov 14, 2017 1:46 am

I came across this today, and although I agree that firewalling is prudent, I also disagree that ports should be bound to all IPs by default on the assumption that a firewall will a) be in place and b) be configured to block this traffic. In my view, binding to all IPs should only occur when there is a specific need for it (i.e. multi-server).

Here's what might appear to be a better way to do this, for anyone else searching as I was today:

Code: Select all

su - zimbra


Make the changes:

Code: Select all

/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedBindAddress 127.0.0.1
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedClientServerList 127.0.0.1


Verify:

Code: Select all

/opt/zimbra/bin/zmprov -l gs `zmhostname` zimbraMemcachedBindAddress
/opt/zimbra/bin/zmprov -l gs `zmhostname` zimbraMemcachedClientServerList


Restart Zimbra:

Code: Select all

zmcontrol restart


You can check that memcached is only running on 127.0.0.1:

$ lsof -i tcp:11211
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
memcached 12630 zimbra 26u IPv4 3443249076 0t0 TCP localhost:11211 (LISTEN)


Now, if you want to verify that objects are being stored, then as root:

Code: Select all

wget -O /usr/bin/memcached-tool https://raw.githubusercontent.com/memcached/memcached/master/scripts/memcached-tool
chmod +x /usr/bin/memcached-tool


Then run (once Zimbra has been running a short while):

Code: Select all

memcached-tool 127.0.0.1:11211 stats | grep total_items


You should have a non-zero value for total_items.

Warm regards,

Craig

Return to “General Questions”

Who is online

Users browsing this forum: No registered users and 3 guests