CVE-2016-8706
published 2017-01-06CVE-2016-8706: An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be…
PriorityP268high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
45.70%
98.6th percentile
An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | memcached | < memcached 1.4.33-1 (bookworm) | memcached 1.4.33-1 (bookworm) |
| memcached | memcached | <= 1.4.31 | — |
| memcached | memcached | — | — |
| memcached | memcached | >= 0 < 1.4.33-1 | 1.4.33-1 |
| memcached | memcached | >= 0 < 1.4.33-1 | 1.4.33-1 |
| memcached | memcached | >= 0 < 1.4.33-1 | 1.4.33-1 |
| memcached | memcached | >= 0 < 1.4.33-1 | 1.4.33-1 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x80 0x21 (Memcached binary protocol SASL auth magic bytes)
- →Detect exploitation attempts by matching Memcached binary protocol opcode 0x21 (SASL auth) on TCP port 11211 with an abnormally large body length field indicative of integer overflow triggering heap overflow. ↗
- →A vulnerable server will respond with 'Invalid arguments' to the crafted SASL auth probe packet; a patched server will NOT return this string. Use this as a positive vulnerability indicator. ↗
- →CVE-2016-8706 is only exploitable when Memcached is started with the '-S' flag (SASL authentication enabled). Audit running Memcached processes for the '-S' command-line option to identify exposed attack surface. ↗
- →The vulnerable function is process_bin_sasl_auth; instrument or audit this function in Memcached binaries for integer overflow conditions in SASL authentication command handling. ↗
- ·The vulnerability is only present when Memcached is launched with SASL authentication enabled via the '-S' flag; default deployments without this flag are NOT vulnerable. ↗
- ·Major Linux distributions (Ubuntu, Fedora) backported the security patch without bumping the version number, so the version string reported by the server does NOT reliably indicate patch status — behavioral probing is required. ↗
- ·Red Hat OpenStack Platform 9 (Mitaka) ships an affected version of memcached that will NOT be updated; administrators should supersede it with the RHEL 7 memcached package. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.1HIGH
vendor_debian8.1HIGH
vendor_redhat8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Memcached vulnerabilities
vendor_ubuntu·2016-11-02
CVE-2016-8704 Memcached vulnerabilities
Title: Memcached vulnerabilities
Summary: Memcached could be made to crash or run programs if it received specially
crafted network traffic.
Aleksandar Nikolic discovered that Memcached incorrectly handled certain
malformed commands. A remote attacker could use this issue to cause
Memcached to crash, resulting in a denial of service, or possibly execute
arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
memcached: SASL authentication remote code execution
vendor_redhat·2016-10-31·CVSS 8.1
CVE-2016-8706 [HIGH] CWE-190 memcached: SASL authentication remote code execution
memcached: SASL authentication remote code execution
An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached's parsing of SASL authentication messages. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.
Statement: The version of memcached as shipped with Red Hat OpenStack Platform 9 is affected by this issue however will not be updated. The latest version of memcached from Red Hat Enterprise Linux 7 can safely be allowed to supersede the earlier vers
Debian
CVE-2016-8706: memcached - An integer overflow in process_bin_sasl_auth function in Memcached, which is res...
vendor_debian·2016·CVSS 8.1
CVE-2016-8706 [HIGH] CVE-2016-8706: memcached - An integer overflow in process_bin_sasl_auth function in Memcached, which is res...
An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
Scope: local
bookworm: resolved (fixed in 1.4.33-1)
bullseye: resolved (fixed in 1.4.33-1)
forky: resolved (fixed in 1.4.33-1)
sid: resolved (fixed in 1.4.33-1)
trixie: resolved (fixed in 1.4.33-1)
GHSA
GHSA-xj8f-h9rc-62vh: An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can
ghsa_unreviewed·2022-05-13
CVE-2016-8706 [HIGH] CWE-190 GHSA-xj8f-h9rc-62vh: An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can
An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
OSV
CVE-2016-8706: An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can
osv·2017-01-06·CVSS 8.1
CVE-2016-8706 [HIGH] CVE-2016-8706: An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can
An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
No detection rules found.
Nuclei
Memcached Server SASL Authentication - Remote Code Execution
nuclei·CVSS 8.1
CVE-2016-8706 [HIGH] Memcached Server SASL Authentication - Remote Code Execution
Memcached Server SASL Authentication - Remote Code Execution
An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
Template:
id: CVE-2016-8706
info:
name: Memcached Server SASL Authentication - Remote Code Execution
author: pussycat0x
severity: high
description: |
An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
impact: |
Attackers can trigger heap overflow in the SASL authentication function, potentially achieving remote code execution on Memcached servers
Talos
Memcached - A Story of Failed Patching & Vulnerable Servers
blogs_talos·2017-07-17
Memcached - A Story of Failed Patching & Vulnerable Servers
This blog authored by Aleksandar Nikolich and David Maynor with contributions from Nick Biasini
## Memcached - Not secure, Not Patched Fast Enough Recently high profile vulnerabilities in systems were used to unleash several global ransomware attacks that greatly impacted organizations. These types of vulnerabilities were previously patched and could have been addressed by organizations before the attacks commenced. This is just the latest example in a long line of threats that are successful in large part because of the inability for patches to be applied in a timely and effective manner. In late 2016 Talos disclosed a series ofvulnerabilitiesin a software platform called Memcached. After releasing the vulnerabilities Talos has been monitoring the amount of systems that were vulnerable a
Bugzilla
CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [fedora-all]
bugzilla·2016-11-01·CVSS 9.8
CVE-2016-8704 [CRITICAL] CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [fedora-all]
CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions o
Bugzilla
CVE-2016-8706 memcached: SASL authentication remote code execution
bugzilla·2016-11-01·CVSS 8.1
CVE-2016-8706 [HIGH] CVE-2016-8706 memcached: SASL authentication remote code execution
CVE-2016-8706 memcached: SASL authentication remote code execution
An integer overflow in process_bin_sasl_auth function which is
responsible for authentication commands of Memcached binary protocol can
be abused to cause heap overflow and lead to remote code execution.
External References:
http://www.talosintelligence.com/reports/TALOS-2016-0221/
Upstream patch:
https://github.com/memcached/memcached/commit/bd578fc34b96abe0f8d99c1409814a09f51ee71c
Discussion:
Created memcached tracking bugs for this issue:
Affects: fedora-all [bug 1390513]
Affects: epel-5 [bug 1390514]
---
This flaw requires memcached compiled with SASL authentication enabled, as is the case for Red Hat Enterprise Linux 7.3.
Red Hat Enterprise Linux 7.2 and 6.x memcached packages are compiled without SASL suppo
Bugzilla
CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [epel-5]
bugzilla·2016-11-01·CVSS 9.8
CVE-2016-8704 [CRITICAL] CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [epel-5]
CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 memcached: various flaws [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
D
http://rhn.redhat.com/errata/RHSA-2016-2819.htmlhttp://www.debian.org/security/2016/dsa-3704http://www.securityfocus.com/bid/94083http://www.securitytracker.com/id/1037333http://www.talosintelligence.com/reports/TALOS-2016-0221/https://security.gentoo.org/glsa/201701-12http://rhn.redhat.com/errata/RHSA-2016-2819.htmlhttp://www.debian.org/security/2016/dsa-3704http://www.securityfocus.com/bid/94083http://www.securitytracker.com/id/1037333http://www.talosintelligence.com/reports/TALOS-2016-0221/https://security.gentoo.org/glsa/201701-12
2017-01-06
Published