Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2016.0099 Multiple vulnerabilities identified in Memcached 2 November 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Memcached Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-8706 CVE-2016-8705 CVE-2016-8704 Member content until: Friday, December 2 2016 OVERVIEW Multiple vulnerabilities have been identified in Memcached prior to version 1.4.33. [1-5] IMPACT Talos have provided the following information regarding the vulnerabilities: "Multiple integer overflow vulnerabilities exist within Memcached that could be exploited to achieve remote code execution on the targeted system. These vulnerabilities manifest in various Memcached functions that are used in inserting, appending, prepending, or modifying key-value data pairs. Systems which also have Memcached compiled with support for SASL authentication are also vulnerable to a third flaw due to how Memcached handles SASL authentication commands." [5] CVE-2016-8704: "An integer overflow in the process_bin_append_prepend function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution." [2] CVE-2016-8705: "Multiple integer overflows in process_bin_update function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution." [3] CVE-2016-8706: "An integer overflow in process_bin_sasl_auth function which is responsible for authentication commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution." [4] "An attacker could exploit these vulnerabilities by sending a specifically crafted Memcached command to the targeted server. Additionally, these vulnerabilities could also be exploited to leak sensitive process information which an attacker could use to bypass common exploitation mitigations, such as ASLR, and can be triggered multiple times. This enables reliable exploitation which makes these vulnerabilities severe." [5] MITIGATION Talos has provided the following mitigation advise: "While it's strongly recommend that Memcached servers are setup so that they are only accessible within a trusted environment, many Memcached servers are setup so that they are accessible over the internet. Additionally, administrators should not neglect Memcached deployments in "trusted" environments as attackers may target vulnerable servers to move laterally within a network." [5] Users are advised to upgrade to the latest version of Memcached to address these vulnerabilities. [1] REFERENCES [1] memcached -- multiple vulnerabilities https://www.vuxml.org/freebsd/f4bf713f-6ac7-4b76-8980-47bf90c5419f.html [2] MEMCACHED SERVER APPEND/PREPEND REMOTE CODE EXECUTION VULNERABILITY http://www.talosintelligence.com/reports/TALOS-2016-0219/ [3] MEMCACHED SERVER UPDATE REMOTE CODE EXECUTION VULNERABILITY http://www.talosintelligence.com/reports/TALOS-2016-0220/ [4] MEMCACHED SERVER SASL AUTENTICATION REMOTE CODE EXECUTION VULNERABILITY http://www.talosintelligence.com/reports/TALOS-2016-0221/ [5] Vulnerability Spotlight: Remotely Exploitable Bugs in Memcached Identified and Patched http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWBmRxIx+lLeg9Ub1AQgYpw//b4P2Iucr3q/h88J01JB1JUHRu0oxd5Be gX2LdKPsMl3aHzHFWmTeCQA6zVj/FZwmTc1XN4Xr2tMcAzX2TXKmrrFU/6uPalfX X/4iiETwLcNOr08UZWf+tzZMtFRgVWL/s47VMgYIoKoy63ItYNf7WIaNSfgXtq/D kBBBc4BtJESFEzfGLME4blgnsVy3bkGq/sn2pliA+C81iB1ehiM1jl1cBegTnK40 Hc49rcHgwuneOziZTAVIVz1VDwKpO8julb4hpnJcIyi647fcCHbuAHSdRL+nwbJ8 OyB0tok2Vq41Yl56CPGGxpJUzMVv4KuxO28V7DNNsN7par//6L/tmQdBMwkF0pn0 +4HptFWEnOjwkcIPzPvNDtyWKGt7ugwbm51L2thmeC1Sf7HpxsNe6tx33kpCT6t3 zcThFNOVZ5mnX8R+Jzrn/iQdleV4GbVj5RnnDic96D2HJjfxO3PxXv0d20sK03nP A0W/+SWJjQe6eSUH0ow3rQnZfuZ9ycYA+43SYEKA8bUUlM6tXE/DaCycKJ8EcogO jfXRGKyZ1xtirONiIagiVEAP//dO6Om/GjOL1tyvhkoh/dJefbi3DfWixIIqdQsR RVzBuho68dlrLgKKSgMxCLdvyFP0bVu5AXbsgEFL6D4AFSpi4oVTP38tXIsXwQPW A/5BN/JANSM= =UiVg -----END PGP SIGNATURE-----