Bug 498271 - (CVE-2009-1255, CVE-2009-1494) CVE-2009-1255, CVE-2009-1494 memcached: multiple vulnerabilities
CVE-2009-1255, CVE-2009-1494 memcached: multiple vulnerabilities
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2009-04-29 13:17 EDT by Vincent Danen
Modified: 2009-09-18 16:16 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-18 16:16:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to fix CVE-2009-1494 (1.28 KB, patch)
2009-05-01 13:52 EDT, Vincent Danen
no flags Details | Diff

  None (edit)
Description Vincent Danen 2009-04-29 13:17:21 EDT
It was reported [1] that memcached versions 1.2.0-1.2.7 contained a security weakness in the 'stats maps' command, where it displays stack, heap, and shared memory locations.  In the event that a buffer overrun was ever discovered in memcached, using the 'stats maps' command could be used to bypass address space layout randomization protection.  As well, since memcached offers no default authentication to its port, and thus this command, if the administrator did not firewall or otherwise secure the memcached listening port, a remote attacker could obtain this information easily.

memcached 1.2.8 has been released [2] and removes the 'stats maps' command entirely.

SecurityFocus reference: http://www.securityfocus.com/bid/34756

[1] http://www.positronsecurity.com/advisories/2009-001.html
[2] http://groups.google.com/group/memcached/browse_thread/thread/ff98a9b88fb5d40e
Comment 1 Vincent Danen 2009-04-29 13:19:40 EDT
I have verified this on Fedora 10; installing memcached and telnetting to port 11211 and issuing "stats maps" provides full information without any authentication required.
Comment 2 Paul Lindner 2009-04-29 13:23:27 EDT
I have my CVS access back.  I can prepare an updated version of memcached with 1.2.8 today.
Comment 3 Vincent Danen 2009-04-29 13:37:04 EDT
Fantastic.  Thanks for being so responsive.  You will be preparing this for F9, F10, and F11 then?
Comment 4 Paul Lindner 2009-04-29 13:48:02 EDT
I haven't kept up with the build system lately, but I see no reason why this couldn't happen on all three.  F-9 is pegged at 1.2.5 for some reason, I think there was some problem with selinux that prevented moving forward.  I'll see what I can do there.
Comment 5 Paul Lindner 2009-04-30 13:07:22 EDT
rawhide, F-10, F-11 all built.   F-10/F-11 submitted through bodhi.

Can someone tell me what it takes to get the update through testing and released?  This is my first time addressing a security problem.
Comment 6 Vincent Danen 2009-04-30 13:28:47 EDT
Hi, Paul.  I'm not sure what the steps are on the Fedora side.. I'm trying to find out for you (and my enlightenment as well).  Thanks.
Comment 7 Vincent Danen 2009-04-30 13:36:47 EDT
Hi Paul.  Ok, from what I'm hearing there is very little difference between a security or a non-security update for Fedora.  There should be a way to mark it as a security fix (either via the web ui or via bodhi -t security).  If you need more than that, please let me know (I've never built anything for Fedora or via bodhi so this is all new to me).  Thanks.
Comment 8 Vincent Danen 2009-05-01 12:49:10 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1255 to
the following vulnerability:

Name: CVE-2009-1255
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1255
Assigned: 20090407
Reference: BUGTRAQ:20090428 Positron Security Advisory #2009-001: Memcached and MemcacheDB ASLR Bypass Weakness
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/503064/100/0/threaded
Reference: MISC: http://www.positronsecurity.com/advisories/2009-001.html
Reference: CONFIRM: http://code.google.com/p/memcachedb/source/browse/trunk/ChangeLog?spec=svn98&r=98
Reference: CONFIRM: http://code.google.com/p/memcachedb/source/detail?r=98
Reference: CONFIRM: http://code.google.com/p/memcachedb/source/diff?spec=svn98&r=98&format=side&path=/trunk/memcachedb.c
Reference: CONFIRM: http://groups.google.com/group/memcached/browse_thread/thread/ff96a9b88fb5d40e
Reference: BID:34756
Reference: URL: http://www.securityfocus.com/bid/34756
Reference: SECUNIA:34915
Reference: URL: http://secunia.com/advisories/34915
Reference: SECUNIA:34932
Reference: URL: http://secunia.com/advisories/34932
Reference: VUPEN:ADV-2009-1196
Reference: URL: http://www.vupen.com/english/advisories/2009/1196
Reference: VUPEN:ADV-2009-1197
Reference: URL: http://www.vupen.com/english/advisories/2009/1197

The process_stat function in (1) Memcached before 1.2.8 and (2)
MemcacheDB 1.2.0 discloses (a) the contents of /proc/self/maps in
response to a stats maps command and (b) memory-allocation statistics
in response to a stats malloc command, which allows remote attackers
to obtain sensitive information such as the locations of memory
regions, and defeat ASLR protection, by sending a command to the
daemon's TCP port.
Comment 9 Paul Lindner 2009-05-01 13:19:30 EDT
bodhi still shows this as pending.....
Comment 10 Vincent Danen 2009-05-01 13:51:02 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1494 to
the following vulnerability:

Name: CVE-2009-1494
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1494
MISC: http://code.google.com/p/memcachedb/source/browse/trunk/ChangeLog?spec=svn98&r=98
Reference: MISC: http://code.google.com/p/memcachedb/source/detail?r=98
Reference: MISC: http://code.google.com/p/memcachedb/source/diff?spec=svn98&r=98&format=side&path=/trunk/memcachedb.c
Reference: MISC: http://groups.google.com/group/memcached/browse_thread/thread/ff96a9b88fb5d40e
Reference: MISC: http://memcached.googlecode.com/files/memcached-1.2.8.tar.gz

The process_stat function in Memcached 1.2.8 discloses
memory-allocation statistics in response to a stats malloc command,
which allows remote attackers to obtain potentially sensitive
information by sending this command to the daemon's TCP port.

NOTE: the above description is wrong.  This is fixed in memcachedb 1.2.0, but not in memcached 1.2.8, so this actually affects memcached <= 1.2.8 (just verified by compiling new memcached 1.2.8 and running it locally).  The 'stats malloc' command most definitely works:

% rpm -q memcached
% memcached -h | head -1
memcached 1.2.8
% telnet localhost 11211
Connected to localhost.
Escape character is '^]'.
stats version
stats malloc
STAT arena_size 921600
STAT free_chunks 3
STAT fastbin_blocks 0
STAT mmapped_regions 1
STAT mmapped_space 528384
STAT max_total_alloc 0
STAT fastbin_space 0
STAT total_alloc 813488
STAT total_free 108112
STAT releasable_space 107952

I came up with a quick patch to remove the 'stats malloc' command entirely.  I'll attach it in a moment.  We may want to include that in our updated packages.
Comment 11 Vincent Danen 2009-05-01 13:52:01 EDT
Created attachment 342133 [details]
patch to fix CVE-2009-1494

This patch removes the 'stats malloc' command.
Comment 12 Vincent Danen 2009-05-01 13:54:37 EDT
Hi, Paul.  You may want to replace those packages in bodhi with a new one with the patch I attached to fix the second information disclosure issue.  I don't necessarily thing there is anything there that is security-sensitive, but it was removed in memcachedb at the same time as the stats maps command, and a CVE name was assigned.  At any rate, I don't think it will hurt to remove it.

I'm also not sure, having never used bodhi myself, but maybe you need to flag this as security when you submit it?  I'm not sure.  Sorry I'm not much more help with that.
Comment 13 Tomas Hoger 2009-05-02 14:26:16 EDT
(In reply to comment #9)
> bodhi still shows this as pending.....  

Pending means that the update is waiting for Fedora rel-eng to sign packages and push update to testing / stable as you requested.
Comment 14 Fedora Update System 2009-05-19 20:51:22 EDT
memcached-1.2.8-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2009-05-26 03:55:31 EDT
memcached-1.2.8-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.