CVE-2020-35197 – This vulnerability allows remote attackers to g... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to gain root access to systems running affected memcached Docker images by using a blank password. It affects anyone using official memcached Docker images before version 1.5.11-alpine. The root user has a blank password by default in these vulnerable images.

💻 Affected Systems

Products:

official memcached Docker images

Versions: All versions before 1.5.11-alpine (Alpine Linux specific images)

Operating Systems: Alpine Linux (Docker containers)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Alpine Linux-based memcached Docker images. Other distributions or non-Docker installations are not affected.

📦 What is this software?

Memcached Docker Image by Docker

View all CVEs affecting Memcached Docker Image →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level access, allowing attackers to install malware, exfiltrate data, pivot to other systems, or destroy the container environment.

🟠

Likely Case

Attackers gain root access to the container, potentially accessing sensitive data in memcached, modifying cached data, or using the container as a foothold for lateral movement.

🟢

If Mitigated

Limited impact if proper network segmentation, container isolation, and authentication controls prevent access to the vulnerable service.

🌐 Internet-Facing: HIGH - Remote attackers can directly exploit this without authentication if the memcached port is exposed to the internet.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems on the same network could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial - attackers simply need to connect to the memcached service and attempt root login with blank password.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.11-alpine and later

Vendor Advisory: https://github.com/docker-library/memcached/issues/1

Restart Required: Yes

Instructions:

1. Pull the updated image: docker pull memcached:1.5.11-alpine
2. Stop the vulnerable container
3. Remove the vulnerable container
4. Deploy new container using the patched image

🔧 Temporary Workarounds

Set root password in Dockerfile

linux

Create a custom Dockerfile that sets a strong root password before running memcached

FROM memcached:alpine
RUN echo 'root:StrongPassword123!' | chpasswd

Run as non-root user

linux

Configure the container to run memcached as a non-root user

docker run -u 1000:1000 memcached:alpine

🧯 If You Can't Patch

Implement strict network controls to limit access to memcached port (11211) only to trusted systems
Use container security tools to monitor for root login attempts and unauthorized access

🔍 How to Verify

Check if Vulnerable:

Check Docker image version: docker images | grep memcached. If version is earlier than 1.5.11-alpine, you are vulnerable.

Check Version:

docker exec <container_name> memcached -V

Verify Fix Applied:

After updating, verify the image version is 1.5.11-alpine or later and test that root login with blank password fails.

📡 Detection & Monitoring

Log Indicators:

Failed or successful root login attempts in container logs
Authentication events with blank password

Network Indicators:

Unexpected connections to memcached port 11211
Brute force attempts against memcached service

SIEM Query:

source="docker" AND "memcached" AND ("root" OR "authentication" OR "login")

📊 Metadata

CVE ID: CVE-2020-35197

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: December 17, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/koharin/koharin2/blob/main/CVE-2020-35197 Third Party Advisory
https://github.com/koharin/koharin2/blob/main/CVE-2020-35197 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35197, you might also want to check these: