Vulnerabilities > CVE-2016-8706 - Integer Overflow or Wraparound vulnerability in Memcached
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201701-12.NASL description The remote host is affected by the vulnerability described in GLSA-201701-12 (memcached: Multiple vulnerabilities) Multiple integer overflow vulnerabilities were discovered in memcached. Please review the CVE identifiers and Cisco TALOS reports referenced below for details. Impact : A remote attacker could abuse memcached’s binary protocol leading to the remote execution of arbitrary code. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 96243 published 2017-01-03 reporter This script is Copyright (C) 2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96243 title GLSA-201701-12 : memcached: Multiple vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-2819.NASL description An update for memcached is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Security Fix(es) : * Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705) * An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached last seen 2020-06-01 modified 2020-06-02 plugin id 95291 published 2016-11-23 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95291 title RHEL 7 : memcached (RHSA-2016:2819) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-701.NASL description Multiple vulnerabilites have been found in memcached, a high-performance memory object caching system. A remote attacker could take advantage of these flaws to cause a denial of service (daemon crash), or potentially to execute arbitrary code. CVE-2013-7291 It was discovered that memcached, when running in verbose mode, can be crashed by sending carefully crafted requests that trigger an unbounded key print, resulting in a daemon crash. CVE-2016-8704, CVE-2016-8705, CVE-2016-8706 Aleksandar Nikolic of Cisco Talos found several vulnerabilities in memcached. A remote attacker could cause an integer overflow by sending carefully crafted requests to the memcached server, resulting in a daemon crash. For Debian 7 last seen 2020-03-17 modified 2016-11-07 plugin id 94584 published 2016-11-07 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94584 title Debian DLA-701-1 : memcached security update NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_F4BF713F6AC74B76898047BF90C5419F.NASL description Cisco Talos reports : Multiple integer overflow vulnerabilities exist within Memcached that could be exploited to achieve remote code execution on the targeted system. These vulnerabilities manifest in various Memcached functions that are used in inserting, appending, prepending, or modifying key-value data pairs. Systems which also have Memcached compiled with support for SASL authentication are also vulnerable to a third flaw due to how Memcached handles SASL authentication commands. An attacker could exploit these vulnerabilities by sending a specifically crafted Memcached command to the targeted server. Additionally, these vulnerabilities could also be exploited to leak sensitive process information which an attacker could use to bypass common exploitation mitigations, such as ASLR, and can be triggered multiple times. This enables reliable exploitation which makes these vulnerabilities severe. last seen 2020-06-01 modified 2020-06-02 plugin id 94459 published 2016-11-02 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94459 title FreeBSD : memcached -- multiple vulnerabilities (f4bf713f-6ac7-4b76-8980-47bf90c5419f) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3704.NASL description Aleksandar Nikolic of Cisco Talos discovered several integer overflow vulnerabilities in memcached, a high-performance memory object caching system. A remote attacker can take advantage of these flaws to cause a denial of service (daemon crash), or potentially to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 94521 published 2016-11-04 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94521 title Debian DSA-3704-1 : memcached - security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1396.NASL description According to the versions of the memcached package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.(CVE-2016-8704) - An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.(CVE-2016-8705) - An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached last seen 2020-06-01 modified 2020-06-02 plugin id 124899 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124899 title EulerOS Virtualization for ARM 64 3.0.1.0 : memcached (EulerOS-SA-2019-1396) NASL family Fedora Local Security Checks NASL id FEDORA_2016-0C4E822340.NASL description Update to the latest upstream release, which fixes CVE-2016-8704, CVE-2016-8705, CVE-2016-8706. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-12-08 plugin id 95611 published 2016-12-08 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95611 title Fedora 25 : memcached (2016-0c4e822340) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1314.NASL description This update for memcached fixes the following security issues : - CVE-2016-8704: Server append/prepend remote code execution (boo#1007871) - CVE-2016-8705: Server update remote code execution (boo#1007870) - CVE-2016-8706: Server ASL authentication remote code execution (boo#1007869) In addition, memcached was updated to 1.4.33 to include all upstream improvements and bugfixes. last seen 2020-06-05 modified 2016-11-18 plugin id 94949 published 2016-11-18 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/94949 title openSUSE Security Update : memcached (openSUSE-2016-1314) NASL family Scientific Linux Local Security Checks NASL id SL_20161123_MEMCACHED_ON_SL7_X.NASL description Security Fix(es) : - Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705) - An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached last seen 2020-03-18 modified 2016-12-15 plugin id 95866 published 2016-12-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95866 title Scientific Linux Security Update : memcached on SL7.x x86_64 (20161123) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-761.NASL description An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704 , CVE-2016-8705) An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached last seen 2020-06-01 modified 2020-06-02 plugin id 94681 published 2016-11-11 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/94681 title Amazon Linux AMI : memcached (ALAS-2016-761) NASL family Fedora Local Security Checks NASL id FEDORA_2016-4DF986A71F.NASL description Security fix for CVE-2016-8704, CVE-2016-8705, CVE-2016-8706 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-11-15 plugin id 94804 published 2016-11-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94804 title Fedora 23 : memcached (2016-4df986a71f) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1313.NASL description This update for memcached fixes the following security issues : - CVE-2016-8704: Server append/prepend remote code execution (boo#1007871) - CVE-2016-8705: Server update remote code execution (boo#1007870) - CVE-2016-8706: Server ASL authentication remote code execution (boo#1007869) last seen 2020-06-05 modified 2016-11-18 plugin id 94948 published 2016-11-18 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/94948 title openSUSE Security Update : memcached (openSUSE-2016-1313) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-2819.NASL description An update for memcached is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Security Fix(es) : * Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705) * An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached last seen 2020-06-01 modified 2020-06-02 plugin id 95356 published 2016-11-28 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95356 title CentOS 7 : memcached (CESA-2016:2819) NASL family Fedora Local Security Checks NASL id FEDORA_2016-66C70CADB4.NASL description Security fix for CVE-2016-8704, CVE-2016-8705, CVE-2016-8706 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-11-15 plugin id 94814 published 2016-11-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94814 title Fedora 24 : memcached (2016-66c70cadb4) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-2819.NASL description From Red Hat Security Advisory 2016:2819 : An update for memcached is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Security Fix(es) : * Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705) * An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached last seen 2020-06-01 modified 2020-06-02 plugin id 95276 published 2016-11-23 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95276 title Oracle Linux 7 : memcached (ELSA-2016-2819) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2016-1086.NASL description According to the versions of the memcached package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705) - An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached last seen 2020-05-06 modified 2017-05-01 plugin id 99845 published 2017-05-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99845 title EulerOS 2.0 SP1 : memcached (EulerOS-SA-2016-1086) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1435.NASL description According to the versions of the memcached package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - memcached before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (crash) via a request that triggers an last seen 2020-06-01 modified 2020-06-02 plugin id 124938 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124938 title EulerOS Virtualization 3.0.1.0 : memcached (EulerOS-SA-2019-1435) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3120-1.NASL description Aleksandar Nikolic discovered that Memcached incorrectly handled certain malformed commands. A remote attacker could use this issue to cause Memcached to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 94509 published 2016-11-03 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94509 title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : memcached vulnerabilities (USN-3120-1)
Packetstorm
data source | https://packetstormsecurity.com/files/download/139572/memcache-poc.txt |
id | PACKETSTORM:139572 |
last seen | 2016-12-05 |
published | 2016-11-03 |
reporter | dawu |
source | https://packetstormsecurity.com/files/139572/Memcached-1.4.33-Proof-Of-Concept.html |
title | Memcached 1.4.33 Proof Of Concept |
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Talos
id | TALOS-2016-0221 |
last seen | 2019-05-29 |
published | 2016-10-31 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0221 |
title | Memcached Server SASL Autentication Remote Code Execution Vulnerability |
The Hacker News
id THN:0CB5E22FC1D91226BC56E430F1E31C62 last seen 2018-01-27 modified 2016-11-02 published 2016-11-01 reporter Swati Khandelwal source https://thehackernews.com/2016/11/memcached-hacking.html title Multiple Critical Remotely Exploitable Flaws Discovered in Memcached Caching System id THN:D62B44A1B8B3D803033457090AB49300 last seen 2018-01-27 modified 2017-07-18 published 2017-07-18 reporter Swati Khandelwal source https://thehackernews.com/2017/07/memcached-vulnerabilities.html title Over 70,000 Memcached Servers Still Vulnerable to Remote Hacking
References
- http://rhn.redhat.com/errata/RHSA-2016-2819.html
- http://rhn.redhat.com/errata/RHSA-2016-2819.html
- http://www.debian.org/security/2016/dsa-3704
- http://www.debian.org/security/2016/dsa-3704
- http://www.securityfocus.com/bid/94083
- http://www.securityfocus.com/bid/94083
- http://www.securitytracker.com/id/1037333
- http://www.securitytracker.com/id/1037333
- http://www.talosintelligence.com/reports/TALOS-2016-0221/
- http://www.talosintelligence.com/reports/TALOS-2016-0221/
- https://security.gentoo.org/glsa/201701-12
- https://security.gentoo.org/glsa/201701-12