Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 1 Nov 2016 10:19:36 +0100
From: Andrej Nemec <anemec@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Memcached 1.4.32 and earlier buffer overflow.

As per Talos page, there seems to be three issues.

CVE-2016-8704 - Memcached server append/prepend remote code execution
vulnerability

An integer overflow in the process_bin_append_prepend function which is
responsible for processing multiple commands of Memcached binary
protocol can be abused to cause heap overflow and lead to remote code
execution.

http://www.talosintelligence.com/reports/TALOS-2016-0219/

CVE-2016-8705 - Memcached server update remote code execution vulnerability

Multiple integer overflows in process_bin_update function which is
responsible for processing multiple commands of Memcached binary
protocol can be abused to cause heap overflow and lead to remote code
execution.

http://www.talosintelligence.com/reports/TALOS-2016-0220/

CVE-2016-8706 - Memcached server SASL authentication remote code
execution vulnerability

An integer overflow in process_bin_sasl_auth function which is
responsible for authentication commands of Memcached binary protocol can
be abused to cause heap overflow and lead to remote code execution.

http://www.talosintelligence.com/reports/TALOS-2016-0221/

There is also a talos blog post about these issues:

http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html

Thanks for sharing!

-- 
Andrej Nemec, Red Hat Product Security
3701 3214 E472 A9C3 EFBE 8A63 8904 44A1 D57B 6DDA

On 10/31/2016 11:35 PM, dormando wrote:
> Release notes with tarball here:
> https://github.com/memcached/memcached/wiki/ReleaseNotes1433
>
> Copy/paste from the relase notes:
> Serious remote code execution bugs are fixed in this release.
>
> The bugs are related to the binary protocol as well as SASL authentication
> of the binary protocol.
>
> If you do not use the binary protocol at all, a workaround is to start
> memcached with -B ascii - otherwise you will need the patch in this
> release.
>
> The diff may apply cleanly to older versions as the affected code has not
> changed in a long time.
>
> Full details of the issues may be found here:
> http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html
>
> In summary: two binary protocol parsing errors, and a SASL authentication
> parsing error allows buffer overflows of keys into arbitrary memory
> space. With enough work undesireable effects are possible.
>
> CVE's were requested and assigned by the reporter. I unfortunately don't
> have them handy :(
>
> -Dormando




Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.