Vulnerabilities > CVE-2016-8706 - Integer Overflow or Wraparound vulnerability in Memcached

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
memcached
CWE-190
nessus

Summary

An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-12.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-12 (memcached: Multiple vulnerabilities) Multiple integer overflow vulnerabilities were discovered in memcached. Please review the CVE identifiers and Cisco TALOS reports referenced below for details. Impact : A remote attacker could abuse memcached’s binary protocol leading to the remote execution of arbitrary code. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96243
    published2017-01-03
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96243
    titleGLSA-201701-12 : memcached: Multiple vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-2819.NASL
    descriptionAn update for memcached is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Security Fix(es) : * Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705) * An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached
    last seen2020-06-01
    modified2020-06-02
    plugin id95291
    published2016-11-23
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95291
    titleRHEL 7 : memcached (RHSA-2016:2819)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-701.NASL
    descriptionMultiple vulnerabilites have been found in memcached, a high-performance memory object caching system. A remote attacker could take advantage of these flaws to cause a denial of service (daemon crash), or potentially to execute arbitrary code. CVE-2013-7291 It was discovered that memcached, when running in verbose mode, can be crashed by sending carefully crafted requests that trigger an unbounded key print, resulting in a daemon crash. CVE-2016-8704, CVE-2016-8705, CVE-2016-8706 Aleksandar Nikolic of Cisco Talos found several vulnerabilities in memcached. A remote attacker could cause an integer overflow by sending carefully crafted requests to the memcached server, resulting in a daemon crash. For Debian 7
    last seen2020-03-17
    modified2016-11-07
    plugin id94584
    published2016-11-07
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94584
    titleDebian DLA-701-1 : memcached security update
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_F4BF713F6AC74B76898047BF90C5419F.NASL
    descriptionCisco Talos reports : Multiple integer overflow vulnerabilities exist within Memcached that could be exploited to achieve remote code execution on the targeted system. These vulnerabilities manifest in various Memcached functions that are used in inserting, appending, prepending, or modifying key-value data pairs. Systems which also have Memcached compiled with support for SASL authentication are also vulnerable to a third flaw due to how Memcached handles SASL authentication commands. An attacker could exploit these vulnerabilities by sending a specifically crafted Memcached command to the targeted server. Additionally, these vulnerabilities could also be exploited to leak sensitive process information which an attacker could use to bypass common exploitation mitigations, such as ASLR, and can be triggered multiple times. This enables reliable exploitation which makes these vulnerabilities severe.
    last seen2020-06-01
    modified2020-06-02
    plugin id94459
    published2016-11-02
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94459
    titleFreeBSD : memcached -- multiple vulnerabilities (f4bf713f-6ac7-4b76-8980-47bf90c5419f)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3704.NASL
    descriptionAleksandar Nikolic of Cisco Talos discovered several integer overflow vulnerabilities in memcached, a high-performance memory object caching system. A remote attacker can take advantage of these flaws to cause a denial of service (daemon crash), or potentially to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id94521
    published2016-11-04
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94521
    titleDebian DSA-3704-1 : memcached - security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1396.NASL
    descriptionAccording to the versions of the memcached package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.(CVE-2016-8704) - An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.(CVE-2016-8705) - An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached
    last seen2020-06-01
    modified2020-06-02
    plugin id124899
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124899
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : memcached (EulerOS-SA-2019-1396)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-0C4E822340.NASL
    descriptionUpdate to the latest upstream release, which fixes CVE-2016-8704, CVE-2016-8705, CVE-2016-8706. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-12-08
    plugin id95611
    published2016-12-08
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95611
    titleFedora 25 : memcached (2016-0c4e822340)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1314.NASL
    descriptionThis update for memcached fixes the following security issues : - CVE-2016-8704: Server append/prepend remote code execution (boo#1007871) - CVE-2016-8705: Server update remote code execution (boo#1007870) - CVE-2016-8706: Server ASL authentication remote code execution (boo#1007869) In addition, memcached was updated to 1.4.33 to include all upstream improvements and bugfixes.
    last seen2020-06-05
    modified2016-11-18
    plugin id94949
    published2016-11-18
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/94949
    titleopenSUSE Security Update : memcached (openSUSE-2016-1314)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20161123_MEMCACHED_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705) - An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached
    last seen2020-03-18
    modified2016-12-15
    plugin id95866
    published2016-12-15
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95866
    titleScientific Linux Security Update : memcached on SL7.x x86_64 (20161123)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-761.NASL
    descriptionAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704 , CVE-2016-8705) An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached
    last seen2020-06-01
    modified2020-06-02
    plugin id94681
    published2016-11-11
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/94681
    titleAmazon Linux AMI : memcached (ALAS-2016-761)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-4DF986A71F.NASL
    descriptionSecurity fix for CVE-2016-8704, CVE-2016-8705, CVE-2016-8706 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-11-15
    plugin id94804
    published2016-11-15
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94804
    titleFedora 23 : memcached (2016-4df986a71f)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1313.NASL
    descriptionThis update for memcached fixes the following security issues : - CVE-2016-8704: Server append/prepend remote code execution (boo#1007871) - CVE-2016-8705: Server update remote code execution (boo#1007870) - CVE-2016-8706: Server ASL authentication remote code execution (boo#1007869)
    last seen2020-06-05
    modified2016-11-18
    plugin id94948
    published2016-11-18
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/94948
    titleopenSUSE Security Update : memcached (openSUSE-2016-1313)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-2819.NASL
    descriptionAn update for memcached is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Security Fix(es) : * Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705) * An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached
    last seen2020-06-01
    modified2020-06-02
    plugin id95356
    published2016-11-28
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95356
    titleCentOS 7 : memcached (CESA-2016:2819)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-66C70CADB4.NASL
    descriptionSecurity fix for CVE-2016-8704, CVE-2016-8705, CVE-2016-8706 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-11-15
    plugin id94814
    published2016-11-15
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94814
    titleFedora 24 : memcached (2016-66c70cadb4)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-2819.NASL
    descriptionFrom Red Hat Security Advisory 2016:2819 : An update for memcached is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Security Fix(es) : * Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705) * An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached
    last seen2020-06-01
    modified2020-06-02
    plugin id95276
    published2016-11-23
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95276
    titleOracle Linux 7 : memcached (ELSA-2016-2819)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2016-1086.NASL
    descriptionAccording to the versions of the memcached package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705) - An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached
    last seen2020-05-06
    modified2017-05-01
    plugin id99845
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99845
    titleEulerOS 2.0 SP1 : memcached (EulerOS-SA-2016-1086)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1435.NASL
    descriptionAccording to the versions of the memcached package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - memcached before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (crash) via a request that triggers an
    last seen2020-06-01
    modified2020-06-02
    plugin id124938
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124938
    titleEulerOS Virtualization 3.0.1.0 : memcached (EulerOS-SA-2019-1435)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3120-1.NASL
    descriptionAleksandar Nikolic discovered that Memcached incorrectly handled certain malformed commands. A remote attacker could use this issue to cause Memcached to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id94509
    published2016-11-03
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94509
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : memcached vulnerabilities (USN-3120-1)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/139572/memcache-poc.txt
idPACKETSTORM:139572
last seen2016-12-05
published2016-11-03
reporterdawu
sourcehttps://packetstormsecurity.com/files/139572/Memcached-1.4.33-Proof-Of-Concept.html
titleMemcached 1.4.33 Proof Of Concept

Redhat

advisories
bugzilla
id1390512
titleCVE-2016-8706 memcached: SASL authentication remote code execution
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentmemcached-devel is earlier than 0:1.4.15-10.el7_3.1
          ovaloval:com.redhat.rhsa:tst:20162819001
        • commentmemcached-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20162819002
      • AND
        • commentmemcached is earlier than 0:1.4.15-10.el7_3.1
          ovaloval:com.redhat.rhsa:tst:20162819003
        • commentmemcached is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20162819004
rhsa
idRHSA-2016:2819
released2016-11-23
severityImportant
titleRHSA-2016:2819: memcached security update (Important)
rpms
  • memcached-0:1.4.15-10.el7_3.1
  • memcached-debuginfo-0:1.4.15-10.el7_3.1
  • memcached-devel-0:1.4.15-10.el7_3.1

Talos

idTALOS-2016-0221
last seen2019-05-29
published2016-10-31
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0221
titleMemcached Server SASL Autentication Remote Code Execution Vulnerability

The Hacker News