Bug 1007866 - Memcached: 1.4.32 and earlier buffer overflow
Memcached: 1.4.32 and earlier buffer overflow
Status: RESOLVED DUPLICATE of bug 1007871
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.1
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Security Team bot
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-01 09:50 UTC by Mikhail Kasimov
Modified: 2016-11-01 13:40 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-11-01 09:50:01 UTC
Reference: [1] http://seclists.org/oss-sec/2016/q4/290

[1]:
===================================================
Release notes with tarball here:
https://github.com/memcached/memcached/wiki/ReleaseNotes1433

Copy/paste from the relase notes:
Serious remote code execution bugs are fixed in this release.

The bugs are related to the binary protocol as well as SASL authentication
of the binary protocol.

If you do not use the binary protocol at all, a workaround is to start
memcached with -B ascii - otherwise you will need the patch in this
release.

The diff may apply cleanly to older versions as the affected code has not
changed in a long time.

Full details of the issues may be found here:
http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html

In summary: two binary protocol parsing errors, and a SASL authentication
parsing error allows buffer overflows of keys into arbitrary memory
space. With enough work undesireable effects are possible.

CVE's were requested and assigned by the reporter. I unfortunately don't
have them handy :(

-Dormando
===================================================

[2] https://software.opensuse.org/package/memcached

[2]:
===================================================
TW: 1.4.25
42.1: 1.4.22
13.2: 1.4.20
network:utilities repo: 1.4.25
server:php:extensions repo: 1.4.25
filesystems:openATTIC repo: 1.4.25
===================================================
Comment 1 Mikhail Kasimov 2016-11-01 11:02:37 UTC
Reference: http://seclists.org/oss-sec/2016/q4/292
===================================================================
As per Talos page, there seems to be three issues.

CVE-2016-8704 - Memcached server append/prepend remote code execution
vulnerability

An integer overflow in the process_bin_append_prepend function which is
responsible for processing multiple commands of Memcached binary
protocol can be abused to cause heap overflow and lead to remote code
execution.

http://www.talosintelligence.com/reports/TALOS-2016-0219/

CVE-2016-8705 - Memcached server update remote code execution vulnerability

Multiple integer overflows in process_bin_update function which is
responsible for processing multiple commands of Memcached binary
protocol can be abused to cause heap overflow and lead to remote code
execution.

http://www.talosintelligence.com/reports/TALOS-2016-0220/

CVE-2016-8706 - Memcached server SASL authentication remote code
execution vulnerability

An integer overflow in process_bin_sasl_auth function which is
responsible for authentication commands of Memcached binary protocol can
be abused to cause heap overflow and lead to remote code execution.

http://www.talosintelligence.com/reports/TALOS-2016-0221/

There is also a talos blog post about these issues:

http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html

Thanks for sharing!
===================================================================
Comment 2 Andreas Stieger 2016-11-01 13:40:48 UTC
See bug CVE-2016-8704, bug CVE-2016-8705, bug CVE-2016-8706

*** This bug has been marked as a duplicate of bug 1007871 ***