Bug 498271 (CVE-2009-1255, CVE-2009-1494) - CVE-2009-1255, CVE-2009-1494 memcached: multiple vulnerabilities
Summary: CVE-2009-1255, CVE-2009-1494 memcached: multiple vulnerabilities
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-1255, CVE-2009-1494
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-29 17:17 UTC by Vincent Danen
Modified: 2019-09-29 12:30 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-18 20:16:33 UTC


Attachments (Terms of Use)
patch to fix CVE-2009-1494 (1.28 KB, patch)
2009-05-01 17:52 UTC, Vincent Danen
no flags Details | Diff

Description Vincent Danen 2009-04-29 17:17:21 UTC
It was reported [1] that memcached versions 1.2.0-1.2.7 contained a security weakness in the 'stats maps' command, where it displays stack, heap, and shared memory locations.  In the event that a buffer overrun was ever discovered in memcached, using the 'stats maps' command could be used to bypass address space layout randomization protection.  As well, since memcached offers no default authentication to its port, and thus this command, if the administrator did not firewall or otherwise secure the memcached listening port, a remote attacker could obtain this information easily.

memcached 1.2.8 has been released [2] and removes the 'stats maps' command entirely.

SecurityFocus reference: http://www.securityfocus.com/bid/34756

[1] http://www.positronsecurity.com/advisories/2009-001.html
[2] http://groups.google.com/group/memcached/browse_thread/thread/ff98a9b88fb5d40e

Comment 1 Vincent Danen 2009-04-29 17:19:40 UTC
I have verified this on Fedora 10; installing memcached and telnetting to port 11211 and issuing "stats maps" provides full information without any authentication required.

Comment 2 Paul Lindner 2009-04-29 17:23:27 UTC
I have my CVS access back.  I can prepare an updated version of memcached with 1.2.8 today.

Comment 3 Vincent Danen 2009-04-29 17:37:04 UTC
Fantastic.  Thanks for being so responsive.  You will be preparing this for F9, F10, and F11 then?

Comment 4 Paul Lindner 2009-04-29 17:48:02 UTC
I haven't kept up with the build system lately, but I see no reason why this couldn't happen on all three.  F-9 is pegged at 1.2.5 for some reason, I think there was some problem with selinux that prevented moving forward.  I'll see what I can do there.

Comment 5 Paul Lindner 2009-04-30 17:07:22 UTC
rawhide, F-10, F-11 all built.   F-10/F-11 submitted through bodhi.

Can someone tell me what it takes to get the update through testing and released?  This is my first time addressing a security problem.

Comment 6 Vincent Danen 2009-04-30 17:28:47 UTC
Hi, Paul.  I'm not sure what the steps are on the Fedora side.. I'm trying to find out for you (and my enlightenment as well).  Thanks.

Comment 7 Vincent Danen 2009-04-30 17:36:47 UTC
Hi Paul.  Ok, from what I'm hearing there is very little difference between a security or a non-security update for Fedora.  There should be a way to mark it as a security fix (either via the web ui or via bodhi -t security).  If you need more than that, please let me know (I've never built anything for Fedora or via bodhi so this is all new to me).  Thanks.

Comment 8 Vincent Danen 2009-05-01 16:49:10 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1255 to
the following vulnerability:

Name: CVE-2009-1255
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1255
Assigned: 20090407
Reference: BUGTRAQ:20090428 Positron Security Advisory #2009-001: Memcached and MemcacheDB ASLR Bypass Weakness
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/503064/100/0/threaded
Reference: MISC: http://www.positronsecurity.com/advisories/2009-001.html
Reference: CONFIRM: http://code.google.com/p/memcachedb/source/browse/trunk/ChangeLog?spec=svn98&r=98
Reference: CONFIRM: http://code.google.com/p/memcachedb/source/detail?r=98
Reference: CONFIRM: http://code.google.com/p/memcachedb/source/diff?spec=svn98&r=98&format=side&path=/trunk/memcachedb.c
Reference: CONFIRM: http://groups.google.com/group/memcached/browse_thread/thread/ff96a9b88fb5d40e
Reference: BID:34756
Reference: URL: http://www.securityfocus.com/bid/34756
Reference: SECUNIA:34915
Reference: URL: http://secunia.com/advisories/34915
Reference: SECUNIA:34932
Reference: URL: http://secunia.com/advisories/34932
Reference: VUPEN:ADV-2009-1196
Reference: URL: http://www.vupen.com/english/advisories/2009/1196
Reference: VUPEN:ADV-2009-1197
Reference: URL: http://www.vupen.com/english/advisories/2009/1197

The process_stat function in (1) Memcached before 1.2.8 and (2)
MemcacheDB 1.2.0 discloses (a) the contents of /proc/self/maps in
response to a stats maps command and (b) memory-allocation statistics
in response to a stats malloc command, which allows remote attackers
to obtain sensitive information such as the locations of memory
regions, and defeat ASLR protection, by sending a command to the
daemon's TCP port.

Comment 9 Paul Lindner 2009-05-01 17:19:30 UTC
bodhi still shows this as pending.....

Comment 10 Vincent Danen 2009-05-01 17:51:02 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1494 to
the following vulnerability:

Name: CVE-2009-1494
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1494
MISC: http://code.google.com/p/memcachedb/source/browse/trunk/ChangeLog?spec=svn98&r=98
Reference: MISC: http://code.google.com/p/memcachedb/source/detail?r=98
Reference: MISC: http://code.google.com/p/memcachedb/source/diff?spec=svn98&r=98&format=side&path=/trunk/memcachedb.c
Reference: MISC: http://groups.google.com/group/memcached/browse_thread/thread/ff96a9b88fb5d40e
Reference: MISC: http://memcached.googlecode.com/files/memcached-1.2.8.tar.gz

The process_stat function in Memcached 1.2.8 discloses
memory-allocation statistics in response to a stats malloc command,
which allows remote attackers to obtain potentially sensitive
information by sending this command to the daemon's TCP port.


NOTE: the above description is wrong.  This is fixed in memcachedb 1.2.0, but not in memcached 1.2.8, so this actually affects memcached <= 1.2.8 (just verified by compiling new memcached 1.2.8 and running it locally).  The 'stats malloc' command most definitely works:

% rpm -q memcached
memcached-1.2.8-1.fc10.x86_64
% memcached -h | head -1
memcached 1.2.8
% telnet localhost 11211
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
stats version
ERROR
stats malloc
STAT arena_size 921600
STAT free_chunks 3
STAT fastbin_blocks 0
STAT mmapped_regions 1
STAT mmapped_space 528384
STAT max_total_alloc 0
STAT fastbin_space 0
STAT total_alloc 813488
STAT total_free 108112
STAT releasable_space 107952
END


I came up with a quick patch to remove the 'stats malloc' command entirely.  I'll attach it in a moment.  We may want to include that in our updated packages.

Comment 11 Vincent Danen 2009-05-01 17:52:01 UTC
Created attachment 342133 [details]
patch to fix CVE-2009-1494

This patch removes the 'stats malloc' command.

Comment 12 Vincent Danen 2009-05-01 17:54:37 UTC
Hi, Paul.  You may want to replace those packages in bodhi with a new one with the patch I attached to fix the second information disclosure issue.  I don't necessarily thing there is anything there that is security-sensitive, but it was removed in memcachedb at the same time as the stats maps command, and a CVE name was assigned.  At any rate, I don't think it will hurt to remove it.

I'm also not sure, having never used bodhi myself, but maybe you need to flag this as security when you submit it?  I'm not sure.  Sorry I'm not much more help with that.

Comment 13 Tomas Hoger 2009-05-02 18:26:16 UTC
(In reply to comment #9)
> bodhi still shows this as pending.....  

Pending means that the update is waiting for Fedora rel-eng to sign packages and push update to testing / stable as you requested.

Comment 14 Fedora Update System 2009-05-20 00:51:22 UTC
memcached-1.2.8-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2009-05-26 07:55:31 UTC
memcached-1.2.8-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.