CVE-2016-8705
published 2017-01-06CVE-2016-8705: Multiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can…
PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
19.85%
97.1th percentile
Multiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | memcached | < memcached 1.4.33-1 (bookworm) | memcached 1.4.33-1 (bookworm) |
| debian | memcached | < memcached 1.5.0-1 (bookworm) | memcached 1.5.0-1 (bookworm) |
| memcached | memcached | <= 1.4.31 | — |
| memcached | memcached | <= 1.4.38 | — |
| memcached | memcached | >= 0 < 1.4.33-1 | 1.4.33-1 |
| memcached | memcached | >= 0 < 1.5.0-1 | 1.5.0-1 |
| memcached | memcached | >= 0 < 1.4.33-1 | 1.4.33-1 |
| memcached | memcached | >= 0 < 1.5.0-1 | 1.5.0-1 |
| memcached | memcached | >= 0 < 1.4.33-1 | 1.4.33-1 |
| memcached | memcached | >= 0 < 1.5.0-1 | 1.5.0-1 |
| memcached | memcached | >= 0 < 1.4.33-1 | 1.4.33-1 |
| memcached | memcached | >= 0 < 1.5.0-1 | 1.5.0-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability exists in the memcached binary protocol handler (process_bin_update function). Monitor for binary protocol traffic to memcached ports, especially malformed or oversized update commands that could trigger integer overflow. ↗
- →Upstream patch available at the referenced GitHub commit; use it to identify patched vs. unpatched binaries in your environment. ↗
- →Talos intelligence report TALOS-2016-0220 contains additional technical details that may support signature development. ↗
- ·The flaw is specific to the memcached binary protocol. Disabling the binary protocol by adding '-B ascii' to OPTIONS in /etc/sysconfig/memcached mitigates the vulnerability if clients only use the ASCII protocol. ↗
- ·CVE-2017-9951 is an incomplete fix for CVE-2016-8705; environments patched only to memcached < 1.4.39 remain vulnerable to the follow-on heap-based buffer over-read via add/set key requests in the binary protocol. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-52x7-vqgq-5mww: Multiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary prot
ghsa_unreviewed·2022-05-13
CVE-2016-8705 [CRITICAL] CWE-190 GHSA-52x7-vqgq-5mww: Multiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary prot
Multiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
GHSA
GHSA-vpcm-5gwm-79h2: The try_read_command function in memcached
ghsa_unreviewed·2022-05-13·CVSS 9.8
CVE-2017-9951 [CRITICAL] GHSA-vpcm-5gwm-79h2: The try_read_command function in memcached
The try_read_command function in memcached.c in memcached before 1.4.39 allows remote attackers to cause a denial of service (segmentation fault) via a request to add/set a key, which makes a comparison between signed and unsigned int and triggers a heap-based buffer over-read. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8705.
OSV
CVE-2017-9951: The try_read_command function in memcached
osv·2017-07-17·CVSS 9.8
CVE-2017-9951 [CRITICAL] CVE-2017-9951: The try_read_command function in memcached
The try_read_command function in memcached.c in memcached before 1.4.39 allows remote attackers to cause a denial of service (segmentation fault) via a request to add/set a key, which makes a comparison between signed and unsigned int and triggers a heap-based buffer over-read. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8705.
OSV
CVE-2016-8705: Multiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary prot
osv·2017-01-06·CVSS 9.8
CVE-2016-8705 [CRITICAL] CVE-2016-8705: Multiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary prot
Multiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
Red Hat
memcached: Heap-based buffer over-read in try_read_command function (incomplete fix for CVE-2016-8705)
vendor_redhat·2017-07-17·CVSS 9.8
CVE-2017-9951 [CRITICAL] CWE-119 memcached: Heap-based buffer over-read in try_read_command function (incomplete fix for CVE-2016-8705)
memcached: Heap-based buffer over-read in try_read_command function (incomplete fix for CVE-2016-8705)
The try_read_command function in memcached.c in memcached before 1.4.39 allows remote attackers to cause a denial of service (segmentation fault) via a request to add/set a key, which makes a comparison between signed and unsigned int and triggers a heap-based buffer over-read. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8705.
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Mitigation: This flaw is in the memcached bi
Debian
CVE-2017-9951: memcached - The try_read_command function in memcached.c in memcached before 1.4.39 allows r...
vendor_debian·2017·CVSS 9.8
CVE-2017-9951 [CRITICAL] CVE-2017-9951: memcached - The try_read_command function in memcached.c in memcached before 1.4.39 allows r...
The try_read_command function in memcached.c in memcached before 1.4.39 allows remote attackers to cause a denial of service (segmentation fault) via a request to add/set a key, which makes a comparison between signed and unsigned int and triggers a heap-based buffer over-read. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8705.
Scope: local
bookworm: resolved (fixed in 1.5.0-1)
bullseye: resolved (fixed in 1.5.0-1)
forky: resolved (fixed in 1.5.0-1)
sid: resolved (fixed in 1.5.0-1)
trixie: resolved (fixed in 1.5.0-1)
Ubuntu
Memcached vulnerabilities
vendor_ubuntu·2016-11-02
CVE-2016-8704 Memcached vulnerabilities
Title: Memcached vulnerabilities
Summary: Memcached could be made to crash or run programs if it received specially
crafted network traffic.
Aleksandar Nikolic discovered that Memcached incorrectly handled certain
malformed commands. A remote attacker could use this issue to cause
Memcached to crash, resulting in a denial of service, or possibly execute
arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
memcached: Server update remote code execution
vendor_redhat·2016-10-31·CVSS 9.8
CVE-2016-8705 [CRITICAL] CWE-190 memcached: Server update remote code execution
memcached: Server update remote code execution
Multiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.
Statement: The versions of memcached as shipped with Red Hat OpenStack Platform 7, 8 and 9 are affected by this issue however will not be updated. The latest version of memcached from Red Hat Enterprise Linux 7 can safely be allowed to supersede the earlier versions pro
Debian
CVE-2016-8705: memcached - Multiple integer overflows in process_bin_update function in Memcached, which is...
vendor_debian·2016·CVSS 9.8
CVE-2016-8705 [CRITICAL] CVE-2016-8705: memcached - Multiple integer overflows in process_bin_update function in Memcached, which is...
Multiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
Scope: local
bookworm: resolved (fixed in 1.4.33-1)
bullseye: resolved (fixed in 1.4.33-1)
forky: resolved (fixed in 1.4.33-1)
sid: resolved (fixed in 1.4.33-1)
trixie: resolved (fixed in 1.4.33-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-9951 memcached: Heap-based buffer over-read in try_read_command function (incomplete fix for CVE-2016-8705)
bugzilla·2017-07-17·CVSS 9.8
CVE-2017-9951 [CRITICAL] CVE-2017-9951 memcached: Heap-based buffer over-read in try_read_command function (incomplete fix for CVE-2016-8705)
CVE-2017-9951 memcached: Heap-based buffer over-read in try_read_command function (incomplete fix for CVE-2016-8705)
The try_read_command function in memcached.c in memcached before 1.4.39 allows remote attackers to cause a denial of service (segmentation fault) via a request to add/set a key, which makes a comparison between signed and unsigned int and triggers a heap-based buffer over-read. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8705.
References:
https://www.twistlock.com/2017/07/13/cve-2017-9951-heap-overflow-memcached-server-1-4-38-twistlock-vulnerability-report/
https://github.com/memcached/memcached/wiki/ReleaseNotes1439
https://groups.google.com/forum/message/raw?msg=memcached/ubGWrkmrr4E/nrm1SeVJAQAJ
Discussion:
Created memcached tracking bug
Bugzilla
CVE-2017-9951 memcached: Heap-based buffer over-read in try_read_command function (incomplete fix for CVE-2016-8705) [fedora-all]
bugzilla·2017-07-17·CVSS 9.8
CVE-2017-9951 [CRITICAL] CVE-2017-9951 memcached: Heap-based buffer over-read in try_read_command function (incomplete fix for CVE-2016-8705) [fedora-all]
CVE-2017-9951 memcached: Heap-based buffer over-read in try_read_command function (incomplete fix for CVE-2016-8705) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Bugzilla
CVE-2016-8705 memcached: Server update remote code execution
bugzilla·2016-11-01·CVSS 9.8
CVE-2016-8705 [CRITICAL] CVE-2016-8705 memcached: Server update remote code execution
CVE-2016-8705 memcached: Server update remote code execution
Multiple integer overflows in process_bin_update function which is
responsible for processing multiple commands of Memcached binary
protocol can be abused to cause heap overflow and lead to remote code
execution.
External References:
http://www.talosintelligence.com/reports/TALOS-2016-0220/
Upstream patch:
https://github.com/memcached/memcached/commit/bd578fc34b96abe0f8d99c1409814a09f51ee71c
Discussion:
Created memcached tracking bugs for this issue:
Affects: fedora-all [bug 1390513]
Affects: epel-5 [bug 1390514]
---
Mitigation:
This flaw is in the memcached binary protocol. If your client programs only use the ASCII protocol when communicating with memcached, you can disable the binary protocol and protect against thi
Bugzilla
CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [fedora-all]
bugzilla·2016-11-01·CVSS 9.8
CVE-2016-8704 [CRITICAL] CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [fedora-all]
CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions o
Bugzilla
CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [epel-5]
bugzilla·2016-11-01·CVSS 9.8
CVE-2016-8704 [CRITICAL] CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [epel-5]
CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
D
http://rhn.redhat.com/errata/RHSA-2016-2819.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2820.htmlhttp://www.debian.org/security/2016/dsa-3704http://www.securityfocus.com/bid/94083http://www.securitytracker.com/id/1037333http://www.talosintelligence.com/reports/TALOS-2016-0220/https://access.redhat.com/errata/RHSA-2017:0059https://security.gentoo.org/glsa/201701-12http://rhn.redhat.com/errata/RHSA-2016-2819.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2820.htmlhttp://www.debian.org/security/2016/dsa-3704http://www.securityfocus.com/bid/94083http://www.securitytracker.com/id/1037333http://www.talosintelligence.com/reports/TALOS-2016-0220/https://access.redhat.com/errata/RHSA-2017:0059https://security.gentoo.org/glsa/201701-12
2017-01-06
Published