CVE-2016-8704
published 2017-01-06CVE-2016-8704: An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary…
PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
23.17%
97.5th percentile
An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | memcached | < memcached 1.4.33-1 (bookworm) | memcached 1.4.33-1 (bookworm) |
| memcached | memcached | <= 1.4.31 | — |
| memcached | memcached | — | — |
| memcached | memcached | >= 0 < 1.4.33-1 | 1.4.33-1 |
| memcached | memcached | >= 0 < 1.4.33-1 | 1.4.33-1 |
| memcached | memcached | >= 0 < 1.4.33-1 | 1.4.33-1 |
| memcached | memcached | >= 0 < 1.4.33-1 | 1.4.33-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is exclusively in the Memcached binary protocol handler. Traffic using the binary protocol with append/prepend commands should be monitored for anomalously large or malformed payloads that could trigger integer overflow in process_bin_append_prepend. ↗
- →A single specially crafted packet sent to a Memcached server can reveal whether the server is vulnerable; defenders can use this same probe logic to identify unpatched instances on port 11211. ↗
- →Disable the Memcached binary protocol entirely as a mitigation by adding "-B ascii" to OPTIONS in /etc/sysconfig/memcached; any server still accepting binary protocol connections should be treated as potentially vulnerable. ↗
- →Version string alone is insufficient to determine patch status; many distributions (Ubuntu, Fedora) backported the fix without bumping the version number. Behavioral probing is required to confirm patch level. ↗
- →Memcached servers exposed directly to the internet on the default port are the primary attack surface; internet-facing Memcached instances should be flagged for immediate review. ↗
- ·Servers with SASL authentication enabled are NOT protected against CVE-2016-8704; nearly 99% of auth-enabled servers were still found vulnerable, indicating authentication does not mitigate this flaw. ↗
- ·Red Hat OpenStack Platform 7, 8, and 9 ship affected versions of memcached and will NOT receive a fix; operators must manually supersede with the RHEL 7 memcached package. ↗
- ·The binary protocol must be in use for exploitation; disabling it with "-B ascii" fully mitigates the vulnerability if clients only use the ASCII protocol. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5hm6-wpg3-fv45: An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary
ghsa_unreviewed·2022-05-13
CVE-2016-8704 [CRITICAL] CWE-190 GHSA-5hm6-wpg3-fv45: An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary
An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
OSV
CVE-2016-8704: An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary
osv·2017-01-06·CVSS 9.8
CVE-2016-8704 [CRITICAL] CVE-2016-8704: An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary
An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
Ubuntu
Memcached vulnerabilities
vendor_ubuntu·2016-11-02
CVE-2016-8704 Memcached vulnerabilities
Title: Memcached vulnerabilities
Summary: Memcached could be made to crash or run programs if it received specially
crafted network traffic.
Aleksandar Nikolic discovered that Memcached incorrectly handled certain
malformed commands. A remote attacker could use this issue to cause
Memcached to crash, resulting in a denial of service, or possibly execute
arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
memcached: Server append/prepend remote code execution
vendor_redhat·2016-10-31·CVSS 9.8
CVE-2016-8704 [CRITICAL] CWE-190 memcached: Server append/prepend remote code execution
memcached: Server append/prepend remote code execution
An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.
Statement: The versions of memcached as shipped with Red Hat OpenStack Platform 7, 8 and 9 are affected by this issue however will not be updated. The latest version of memcached from Red Hat Enterprise Linux 7 can safely be allowed to supersede the earlier
Debian
CVE-2016-8704: memcached - An integer overflow in the process_bin_append_prepend function in Memcached, whi...
vendor_debian·2016·CVSS 9.8
CVE-2016-8704 [CRITICAL] CVE-2016-8704: memcached - An integer overflow in the process_bin_append_prepend function in Memcached, whi...
An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
Scope: local
bookworm: resolved (fixed in 1.4.33-1)
bullseye: resolved (fixed in 1.4.33-1)
forky: resolved (fixed in 1.4.33-1)
sid: resolved (fixed in 1.4.33-1)
trixie: resolved (fixed in 1.4.33-1)
No detection rules found.
No public exploits indexed.
Talos
Memcached - A Story of Failed Patching & Vulnerable Servers
blogs_talos·2017-07-17
Memcached - A Story of Failed Patching & Vulnerable Servers
This blog authored by Aleksandar Nikolich and David Maynor with contributions from Nick Biasini
## Memcached - Not secure, Not Patched Fast Enough Recently high profile vulnerabilities in systems were used to unleash several global ransomware attacks that greatly impacted organizations. These types of vulnerabilities were previously patched and could have been addressed by organizations before the attacks commenced. This is just the latest example in a long line of threats that are successful in large part because of the inability for patches to be applied in a timely and effective manner. In late 2016 Talos disclosed a series ofvulnerabilitiesin a software platform called Memcached. After releasing the vulnerabilities Talos has been monitoring the amount of systems that were vulnerable a
Bugzilla
CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [fedora-all]
bugzilla·2016-11-01·CVSS 9.8
CVE-2016-8704 [CRITICAL] CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [fedora-all]
CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions o
Bugzilla
CVE-2016-8704 memcached: Server append/prepend remote code execution
bugzilla·2016-11-01·CVSS 9.8
CVE-2016-8704 [CRITICAL] CVE-2016-8704 memcached: Server append/prepend remote code execution
CVE-2016-8704 memcached: Server append/prepend remote code execution
An integer overflow in the process_bin_append_prepend function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution.
External References:
http://www.talosintelligence.com/reports/TALOS-2016-0219/
Upstream patch:
https://github.com/memcached/memcached/commit/bd578fc34b96abe0f8d99c1409814a09f51ee71c
Discussion:
Created memcached tracking bugs for this issue:
Affects: fedora-all [bug 1390513]
Affects: epel-5 [bug 1390514]
---
Mitigation:
This flaw is in the memcached binary protocol. If you client programs only use the ASCII protocol when communicating with memcached, you can disable the binary protocol and protect
Bugzilla
CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [epel-5]
bugzilla·2016-11-01·CVSS 9.8
CVE-2016-8704 [CRITICAL] CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [epel-5]
CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
D
http://rhn.redhat.com/errata/RHSA-2016-2819.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2820.htmlhttp://www.debian.org/security/2016/dsa-3704http://www.securityfocus.com/bid/94083http://www.securitytracker.com/id/1037333http://www.talosintelligence.com/reports/TALOS-2016-0219/https://access.redhat.com/errata/RHSA-2017:0059https://security.gentoo.org/glsa/201701-12http://rhn.redhat.com/errata/RHSA-2016-2819.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2820.htmlhttp://www.debian.org/security/2016/dsa-3704http://www.securityfocus.com/bid/94083http://www.securitytracker.com/id/1037333http://www.talosintelligence.com/reports/TALOS-2016-0219/https://access.redhat.com/errata/RHSA-2017:0059https://security.gentoo.org/glsa/201701-12
2017-01-06
Published