cbcvebase.
CVE-2016-8704
published 2017-01-06

CVE-2016-8704: An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary…

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
23.17%
97.5th percentile
An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianmemcached< memcached 1.4.33-1 (bookworm)memcached 1.4.33-1 (bookworm)
memcachedmemcached<= 1.4.31
memcachedmemcached
memcachedmemcached>= 0 < 1.4.33-11.4.33-1
memcachedmemcached>= 0 < 1.4.33-11.4.33-1
memcachedmemcached>= 0 < 1.4.33-11.4.33-1
memcachedmemcached>= 0 < 1.4.33-11.4.33-1

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/memcached/memcached/commit/bd578fc34b96abe0f8d99c1409814a09f51ee71c
processprocess_bin_append_prepend
  • The vulnerability is exclusively in the Memcached binary protocol handler. Traffic using the binary protocol with append/prepend commands should be monitored for anomalously large or malformed payloads that could trigger integer overflow in process_bin_append_prepend.
  • A single specially crafted packet sent to a Memcached server can reveal whether the server is vulnerable; defenders can use this same probe logic to identify unpatched instances on port 11211.
  • Disable the Memcached binary protocol entirely as a mitigation by adding "-B ascii" to OPTIONS in /etc/sysconfig/memcached; any server still accepting binary protocol connections should be treated as potentially vulnerable.
  • Version string alone is insufficient to determine patch status; many distributions (Ubuntu, Fedora) backported the fix without bumping the version number. Behavioral probing is required to confirm patch level.
  • Memcached servers exposed directly to the internet on the default port are the primary attack surface; internet-facing Memcached instances should be flagged for immediate review.
  • ·Servers with SASL authentication enabled are NOT protected against CVE-2016-8704; nearly 99% of auth-enabled servers were still found vulnerable, indicating authentication does not mitigate this flaw.
  • ·Red Hat OpenStack Platform 7, 8, and 9 ship affected versions of memcached and will NOT receive a fix; operators must manually supersede with the RHEL 7 memcached package.
  • ·The binary protocol must be in use for exploitation; disabling it with "-B ascii" fully mitigates the vulnerability if clients only use the ASCII protocol.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.