It was reported [1] that memcached versions 1.2.0-1.2.7 contained a security weakness in the 'stats maps' command, where it displays stack, heap, and shared memory locations. In the event that a buffer overrun was ever discovered in memcached, using the 'stats maps' command could be used to bypass address space layout randomization protection. As well, since memcached offers no default authentication to its port, and thus this command, if the administrator did not firewall or otherwise secure the memcached listening port, a remote attacker could obtain this information easily. memcached 1.2.8 has been released [2] and removes the 'stats maps' command entirely. SecurityFocus reference: http://www.securityfocus.com/bid/34756 [1] http://www.positronsecurity.com/advisories/2009-001.html [2] http://groups.google.com/group/memcached/browse_thread/thread/ff98a9b88fb5d40e
I have verified this on Fedora 10; installing memcached and telnetting to port 11211 and issuing "stats maps" provides full information without any authentication required.
I have my CVS access back. I can prepare an updated version of memcached with 1.2.8 today.
Fantastic. Thanks for being so responsive. You will be preparing this for F9, F10, and F11 then?
I haven't kept up with the build system lately, but I see no reason why this couldn't happen on all three. F-9 is pegged at 1.2.5 for some reason, I think there was some problem with selinux that prevented moving forward. I'll see what I can do there.
rawhide, F-10, F-11 all built. F-10/F-11 submitted through bodhi. Can someone tell me what it takes to get the update through testing and released? This is my first time addressing a security problem.
Hi, Paul. I'm not sure what the steps are on the Fedora side.. I'm trying to find out for you (and my enlightenment as well). Thanks.
Hi Paul. Ok, from what I'm hearing there is very little difference between a security or a non-security update for Fedora. There should be a way to mark it as a security fix (either via the web ui or via bodhi -t security). If you need more than that, please let me know (I've never built anything for Fedora or via bodhi so this is all new to me). Thanks.
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1255 to the following vulnerability: Name: CVE-2009-1255 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1255 Assigned: 20090407 Reference: BUGTRAQ:20090428 Positron Security Advisory #2009-001: Memcached and MemcacheDB ASLR Bypass Weakness Reference: URL: http://www.securityfocus.com/archive/1/archive/1/503064/100/0/threaded Reference: MISC: http://www.positronsecurity.com/advisories/2009-001.html Reference: CONFIRM: http://code.google.com/p/memcachedb/source/browse/trunk/ChangeLog?spec=svn98&r=98 Reference: CONFIRM: http://code.google.com/p/memcachedb/source/detail?r=98 Reference: CONFIRM: http://code.google.com/p/memcachedb/source/diff?spec=svn98&r=98&format=side&path=/trunk/memcachedb.c Reference: CONFIRM: http://groups.google.com/group/memcached/browse_thread/thread/ff96a9b88fb5d40e Reference: BID:34756 Reference: URL: http://www.securityfocus.com/bid/34756 Reference: SECUNIA:34915 Reference: URL: http://secunia.com/advisories/34915 Reference: SECUNIA:34932 Reference: URL: http://secunia.com/advisories/34932 Reference: VUPEN:ADV-2009-1196 Reference: URL: http://www.vupen.com/english/advisories/2009/1196 Reference: VUPEN:ADV-2009-1197 Reference: URL: http://www.vupen.com/english/advisories/2009/1197 The process_stat function in (1) Memcached before 1.2.8 and (2) MemcacheDB 1.2.0 discloses (a) the contents of /proc/self/maps in response to a stats maps command and (b) memory-allocation statistics in response to a stats malloc command, which allows remote attackers to obtain sensitive information such as the locations of memory regions, and defeat ASLR protection, by sending a command to the daemon's TCP port.
bodhi still shows this as pending.....
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1494 to the following vulnerability: Name: CVE-2009-1494 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1494 MISC: http://code.google.com/p/memcachedb/source/browse/trunk/ChangeLog?spec=svn98&r=98 Reference: MISC: http://code.google.com/p/memcachedb/source/detail?r=98 Reference: MISC: http://code.google.com/p/memcachedb/source/diff?spec=svn98&r=98&format=side&path=/trunk/memcachedb.c Reference: MISC: http://groups.google.com/group/memcached/browse_thread/thread/ff96a9b88fb5d40e Reference: MISC: http://memcached.googlecode.com/files/memcached-1.2.8.tar.gz The process_stat function in Memcached 1.2.8 discloses memory-allocation statistics in response to a stats malloc command, which allows remote attackers to obtain potentially sensitive information by sending this command to the daemon's TCP port. NOTE: the above description is wrong. This is fixed in memcachedb 1.2.0, but not in memcached 1.2.8, so this actually affects memcached <= 1.2.8 (just verified by compiling new memcached 1.2.8 and running it locally). The 'stats malloc' command most definitely works: % rpm -q memcached memcached-1.2.8-1.fc10.x86_64 % memcached -h | head -1 memcached 1.2.8 % telnet localhost 11211 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. stats version ERROR stats malloc STAT arena_size 921600 STAT free_chunks 3 STAT fastbin_blocks 0 STAT mmapped_regions 1 STAT mmapped_space 528384 STAT max_total_alloc 0 STAT fastbin_space 0 STAT total_alloc 813488 STAT total_free 108112 STAT releasable_space 107952 END I came up with a quick patch to remove the 'stats malloc' command entirely. I'll attach it in a moment. We may want to include that in our updated packages.
Created attachment 342133 [details] patch to fix CVE-2009-1494 This patch removes the 'stats malloc' command.
Hi, Paul. You may want to replace those packages in bodhi with a new one with the patch I attached to fix the second information disclosure issue. I don't necessarily thing there is anything there that is security-sensitive, but it was removed in memcachedb at the same time as the stats maps command, and a CVE name was assigned. At any rate, I don't think it will hurt to remove it. I'm also not sure, having never used bodhi myself, but maybe you need to flag this as security when you submit it? I'm not sure. Sorry I'm not much more help with that.
(In reply to comment #9) > bodhi still shows this as pending..... Pending means that the update is waiting for Fedora rel-eng to sign packages and push update to testing / stable as you requested.
memcached-1.2.8-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
memcached-1.2.8-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.