cbcvebase.
CVE-2016-8706
published 2017-01-06

CVE-2016-8706: An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be…

PriorityP268high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
45.70%
98.6th percentile
An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianmemcached< memcached 1.4.33-1 (bookworm)memcached 1.4.33-1 (bookworm)
memcachedmemcached<= 1.4.31
memcachedmemcached
memcachedmemcached>= 0 < 1.4.33-11.4.33-1
memcachedmemcached>= 0 < 1.4.33-11.4.33-1
memcachedmemcached>= 0 < 1.4.33-11.4.33-1
memcachedmemcached>= 0 < 1.4.33-11.4.33-1

Detection & IOCsextracted from sources · hover to see the quote

port11211
commandstats (sent as SASL auth payload with 1000-byte overflow buffer)
bytes
0x80 0x21 (Memcached binary protocol SASL auth magic bytes)
  • Detect exploitation attempts by matching Memcached binary protocol opcode 0x21 (SASL auth) on TCP port 11211 with an abnormally large body length field indicative of integer overflow triggering heap overflow.
  • A vulnerable server will respond with 'Invalid arguments' to the crafted SASL auth probe packet; a patched server will NOT return this string. Use this as a positive vulnerability indicator.
  • CVE-2016-8706 is only exploitable when Memcached is started with the '-S' flag (SASL authentication enabled). Audit running Memcached processes for the '-S' command-line option to identify exposed attack surface.
  • The vulnerable function is process_bin_sasl_auth; instrument or audit this function in Memcached binaries for integer overflow conditions in SASL authentication command handling.
  • ·The vulnerability is only present when Memcached is launched with SASL authentication enabled via the '-S' flag; default deployments without this flag are NOT vulnerable.
  • ·Major Linux distributions (Ubuntu, Fedora) backported the security patch without bumping the version number, so the version string reported by the server does NOT reliably indicate patch status — behavioral probing is required.
  • ·Red Hat OpenStack Platform 9 (Mitaka) ships an affected version of memcached that will NOT be updated; administrators should supersede it with the RHEL 7 memcached package.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.1HIGH
vendor_debian8.1HIGH
vendor_redhat8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.