Bug 1390512 (CVE-2016-8706) - CVE-2016-8706 memcached: SASL authentication remote code execution
Summary: CVE-2016-8706 memcached: SASL authentication remote code execution
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-8706
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20161031,repor...
Depends On: 1390513 1390514 1391262 1391263 1392273 1392274
Blocks: 1390516 1393126
TreeView+ depends on / blocked
 
Reported: 2016-11-01 09:43 UTC by Andrej Nemec
Modified: 2019-06-08 21:33 UTC (History)
30 users (show)

Fixed In Version: memcached 1.4.33
Doc Type: If docs needed, set a value
Doc Text:
An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached's parsing of SASL authentication messages. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2016-11-24 05:58:07 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2819 normal SHIPPED_LIVE Important: memcached security update 2016-11-23 12:47:52 UTC

Description Andrej Nemec 2016-11-01 09:43:39 UTC
An integer overflow in process_bin_sasl_auth function which is
responsible for authentication commands of Memcached binary protocol can
be abused to cause heap overflow and lead to remote code execution.

External References:

http://www.talosintelligence.com/reports/TALOS-2016-0221/

Upstream patch:

https://github.com/memcached/memcached/commit/bd578fc34b96abe0f8d99c1409814a09f51ee71c

Comment 1 Andrej Nemec 2016-11-01 09:45:11 UTC
Created memcached tracking bugs for this issue:

Affects: fedora-all [bug 1390513]
Affects: epel-5 [bug 1390514]

Comment 2 Doran Moppert 2016-11-02 06:56:11 UTC
This flaw requires memcached compiled with SASL authentication enabled, as is the case for Red Hat Enterprise Linux 7.3.

Red Hat Enterprise Linux 7.2 and 6.x memcached packages are compiled without SASL support, so they are not affected.

Comment 10 Doran Moppert 2016-11-08 22:42:01 UTC
Mitigation:

This flaw requires memcached to be running with SASL authentication enabled, which is not the default setting. If your memcached instances are running without the "-S" command-line option, they are not vulnerable.

Comment 12 errata-xmlrpc 2016-11-23 07:49:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2819 https://rhn.redhat.com/errata/RHSA-2016-2819.html

Comment 13 Garth Mollett 2016-11-24 05:54:41 UTC
Statement:

The version of memcached as shipped with Red Hat OpenStack Platform 9 is affected by this issue however will not be updated. The latest version of memcached from Red Hat Enterprise Linux 7 can safely be allowed to supersede the earlier versions provided in the Red Hat OpenStack Platform channels.


Note You need to log in before you can comment on or make changes to this bug.