Vulnerabilities > CVE-2011-4971 - Numeric Errors vulnerability in Memcached

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
memcached
CWE-189
nessus
metasploit

Summary

Multiple integer signedness errors in the (1) process_bin_sasl_auth, (2) process_bin_complete_sasl_auth, (3) process_bin_update, and (4) process_bin_append_prepend functions in Memcached 1.4.5 and earlier allow remote attackers to cause a denial of service (crash) via a large body length value in a packet.

Common Weakness Enumeration (CWE)

Metasploit

descriptionThis module sends a specially-crafted packet to cause a segmentation fault in memcached v1.4.15 or earlier versions.
idMSF:AUXILIARY/DOS/MISC/MEMCACHED
last seen2020-03-01
modified2017-07-24
published2013-04-30
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/misc/memcached.rb
titleMemcached Remote Denial of Service

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2832.NASL
    descriptionMultiple vulnerabilities have been found in memcached, a high-performance memory object caching system. The Common Vulnerabilities and Exposures project identifies the following issues : - CVE-2011-4971 Stefan Bucur reported that memcached could be caused to crash by sending a specially crafted packet. - CVE-2013-7239 It was reported that SASL authentication could be bypassed due to a flaw related to the managment of the SASL authentication state. With a specially crafted request, a remote attacker may be able to authenticate with invalid SASL credentials.
    last seen2020-03-17
    modified2014-01-02
    plugin id71780
    published2014-01-02
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/71780
    titleDebian DSA-2832-1 : memcached - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-2832. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(71780);
      script_version("1.10");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2011-4971", "CVE-2013-7239");
      script_bugtraq_id(59567, 64559);
      script_xref(name:"DSA", value:"2832");
    
      script_name(english:"Debian DSA-2832-1 : memcached - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities have been found in memcached, a
    high-performance memory object caching system. The Common
    Vulnerabilities and Exposures project identifies the following issues
    :
    
      - CVE-2011-4971
        Stefan Bucur reported that memcached could be caused to
        crash by sending a specially crafted packet.
    
      - CVE-2013-7239
        It was reported that SASL authentication could be
        bypassed due to a flaw related to the managment of the
        SASL authentication state. With a specially crafted
        request, a remote attacker may be able to authenticate
        with invalid SASL credentials."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706426"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733643"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2011-4971"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2013-7239"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2013-7239"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2013-0179"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/squeeze/memcached"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/memcached"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2014/dsa-2832"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the memcached packages.
    
    For the oldstable distribution (squeeze), these problems have been
    fixed in version 1.4.5-1+deb6u1. Note that the patch for CVE-2013-7239
    was not applied for the oldstable distribution as SASL support is not
    enabled in this version. This update also provides the fix for
    CVE-2013-0179 which was fixed for stable already.
    
    For the stable distribution (wheezy), these problems have been fixed
    in version 1.4.13-0.2+deb7u1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:memcached");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/01/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"6.0", prefix:"memcached", reference:"1.4.5-1+deb6u1")) flag++;
    if (deb_check(release:"7.0", prefix:"memcached", reference:"1.4.13-0.2+deb7u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-0926.NASL
    descriptionThis is an update to the latest upstream release. It fixes several security vulnerabilities, possible crashes when the key is printed in verbose mode and crash with specially crafted packet. (CVE-2011-4971, CVE-2013-0179, CVE-2013-7291 CVE-2013-7290) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-02-03
    plugin id72249
    published2014-02-03
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72249
    titleFedora 20 : memcached-1.4.17-1.fc20 (2014-0926)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2014-0926.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(72249);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2011-4971", "CVE-2013-0179", "CVE-2013-7290", "CVE-2013-7291");
      script_xref(name:"FEDORA", value:"2014-0926");
    
      script_name(english:"Fedora 20 : memcached-1.4.17-1.fc20 (2014-0926)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This is an update to the latest upstream release. It fixes several
    security vulnerabilities, possible crashes when the key is printed in
    verbose mode and crash with specially crafted packet. (CVE-2011-4971,
    CVE-2013-0179, CVE-2013-7291 CVE-2013-7290)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1052863"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1052864"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=895054"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=957964"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127603.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e7fa9ae2"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected memcached package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:memcached");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:20");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/01/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/02/03");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^20([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 20.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC20", reference:"memcached-1.4.17-1.fc20")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "memcached");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201406-13.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201406-13 (memcached: Multiple vulnerabilities) memcached authentication could be bypassed when using SASL due to a flaw related to SASL authentication state. Also several heap-based buffer overflows due to integer conversions when parsing certain length attributes were discovered. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition or authenticate with invalid SASL credentials, bypassing memcached authentication completely. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id76064
    published2014-06-16
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/76064
    titleGLSA-201406-13 : memcached: Multiple vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-0934.NASL
    descriptionThis is an update to the latest upstream release. It fixes several security vulnerabilities, possible crashes when the key is printed in verbose mode and crash with specially crafted packet. (CVE-2011-4971, CVE-2013-0179, CVE-2013-7291 CVE-2013-7290) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-02-03
    plugin id72250
    published2014-02-03
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72250
    titleFedora 19 : memcached-1.4.17-1.fc19 (2014-0934)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2080-1.NASL
    descriptionStefan Bucur discovered that Memcached incorrectly handled certain large body lengths. A remote attacker could use this issue to cause Memcached to crash, resulting in a denial of service. (CVE-2011-4971) Jeremy Sowden discovered that Memcached incorrectly handled logging certain details when the -vv option was used. An attacker could use this issue to cause Memcached to crash, resulting in a denial of service. (CVE-2013-0179) It was discovered that Memcached incorrectly handled SASL authentication. A remote attacker could use this issue to bypass SASL authentication completely. This issue only affected Ubuntu 12.10, Ubuntu 13.04 and Ubuntu 13.10. (CVE-2013-7239). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2014-01-14
    plugin id71938
    published2014-01-14
    reporterUbuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/71938
    titleUbuntu 12.04 LTS / 12.10 / 13.04 / 13.10 : memcached vulnerabilities (USN-2080-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2014-454.NASL
    descriptionmemcached was updated to version 1.4.20 to fix five security issues. These security issues were fixed : - DoS when printing out keys to be deleted in verbose mode (CVE-2013-0179) - Remote DoS (crash) via a request that triggers
    last seen2020-06-05
    modified2014-07-04
    plugin id76365
    published2014-07-04
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/76365
    titleopenSUSE Security Update : memcached (openSUSE-SU-2014:0867-1)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2013-280.NASL
    descriptionA vulnerability was found and corrected in memcached : Memcached is vulnerable to a denial of service as it can be made to crash when it receives a specially crafted packet over the network (CVE-2011-4971). The updated packages for Enterprise Server 5 has beed patched to resolve this flaw. The updated packages for Business Server 1 has been upgraded to the 1.4.15 version and patched to resolve this flaw.
    last seen2020-06-01
    modified2020-06-02
    plugin id71075
    published2013-11-25
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/71075
    titleMandriva Linux Security Advisory : memcached (MDVSA-2013:280)