Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 1 Nov 2016 10:19:36 +0100
From: Andrej Nemec <anemec@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Memcached 1.4.32 and earlier buffer overflow.

As per Talos page, there seems to be three issues.

CVE-2016-8704 - Memcached server append/prepend remote code execution
vulnerability

An integer overflow in the process_bin_append_prepend function which is
responsible for processing multiple commands of Memcached binary
protocol can be abused to cause heap overflow and lead to remote code
execution.

http://www.talosintelligence.com/reports/TALOS-2016-0219/

CVE-2016-8705 - Memcached server update remote code execution vulnerability

Multiple integer overflows in process_bin_update function which is
responsible for processing multiple commands of Memcached binary
protocol can be abused to cause heap overflow and lead to remote code
execution.

http://www.talosintelligence.com/reports/TALOS-2016-0220/

CVE-2016-8706 - Memcached server SASL authentication remote code
execution vulnerability

An integer overflow in process_bin_sasl_auth function which is
responsible for authentication commands of Memcached binary protocol can
be abused to cause heap overflow and lead to remote code execution.

http://www.talosintelligence.com/reports/TALOS-2016-0221/

There is also a talos blog post about these issues:

http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html

Thanks for sharing!

-- 
Andrej Nemec, Red Hat Product Security
3701 3214 E472 A9C3 EFBE 8A63 8904 44A1 D57B 6DDA

On 10/31/2016 11:35 PM, dormando wrote:
> Release notes with tarball here:
> https://github.com/memcached/memcached/wiki/ReleaseNotes1433
>
> Copy/paste from the relase notes:
> Serious remote code execution bugs are fixed in this release.
>
> The bugs are related to the binary protocol as well as SASL authentication
> of the binary protocol.
>
> If you do not use the binary protocol at all, a workaround is to start
> memcached with -B ascii - otherwise you will need the patch in this
> release.
>
> The diff may apply cleanly to older versions as the affected code has not
> changed in a long time.
>
> Full details of the issues may be found here:
> http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html
>
> In summary: two binary protocol parsing errors, and a SASL authentication
> parsing error allows buffer overflows of keys into arbitrary memory
> space. With enough work undesireable effects are possible.
>
> CVE's were requested and assigned by the reporter. I unfortunately don't
> have them handy :(
>
> -Dormando




Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ