Date: Wed, 7 Mar 2018 17:48:56 -0800 (PST) From: dormando <dormando@...ia.net> To: oss-security@...ts.openwall.com Subject: Memcached remote DoS in older versions Hello, There are a number of hang/crash bugs fixed in older versions of memcached. All are noted in the release notes of the versions containing the respective fixes, and most are years old. I'm writing this in case pointing this out can help drive users to close their instances from the internet; aside from participating in DDoS attacks and remote users being able to read any data stored in the instances, they can also be crashed or deadlocked. I have a working POC deadlock for versions 1.4.20ish to 1.4.37. Older ones should still be vulernable as well. I can supply the POC if there's interest, or adjust it for even older versions. The POC only takes a few seconds and kilobytes over a TCP connection and causes a mutex deadlock. Thanks, -Dormando
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ