Debian update for memcached

Published: 2018-06-07

Risk	High
Patch available	YES
Number of vulnerabilities	4
CVE-ID	CVE-2017-9951 CVE-2018-1000115 CVE-2018-1000127 CVE-2016-8705
CWE-ID	CWE-126 CWE-406 CWE-190 CWE-122
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available.
Vulnerable software	Debian Linux Operating systems & Components / Operating system
Vendor	Debian

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Buffer over-read

EUVDB-ID: #VU10898

Risk: High

CVSSv3.1: 7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C]

CVE-ID: CVE-2017-9951

CWE-ID: CWE-126 - Buffer over-read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in the try_read_command function in memcached.c in memcached before 1.4.39. A remote attacker can perform a denial of service (segmentation fault) via a request to add/set a key, which makes a comparison between signed and unsigned int and triggers a heap-based buffer over-read.

The vulnerability is dubbed Twistlock.

Mitigation

Update the affected package to version: 1.4.21-1.1+deb8u2, 1.4.33-1+deb9u1

Vulnerable software versions

Debian Linux: All versions

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://www.debian.org/security/2018/dsa-4218

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

2) Network amplification

EUVDB-ID: #VU11194

Risk: Low

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C]

CVE-ID: CVE-2018-1000115

CWE-ID: CWE-406 - Insufficient Control of Network Message Volume (Network Amplification)

Exploit availability: Yes

Description

The vulnerability allows a remote unauthenticated attacker to conduct DDoS amplification attack against the target system.

The weakness exists due to insufficient control of network message volume. A remote attacker can scan for affected, insecure Memcached servers via UDP port 11211,spoof UDP packets, send a specially crafted request, trigger a response and conduct DDoS amplification attack.

Mitigation

Update the affected package to version: 1.4.21-1.1+deb8u2, 1.4.33-1+deb9u1

Vulnerable software versions

Debian Linux: All versions

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://www.debian.org/security/2018/dsa-4218

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

3) Integer overflow

EUVDB-ID: #VU11124

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-1000127

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the items.c:item_free() function due to improper bounds checks. A remote attacker can trigger integer overflow and cause the service to crash.

Mitigation

Update the affected package to version: 1.4.21-1.1+deb8u2, 1.4.33-1+deb9u1

Vulnerable software versions

Debian Linux: All versions

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://www.debian.org/security/2018/dsa-4218

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Heap-based buffer overflow

EUVDB-ID: #VU4139

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-8705

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists in the process_bin_update() function due to integer overflow. A remote attacker can send specially crafted Memcached binary protocol commands, trigger heap-based buffer overflow and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update the affected package to version: 1.4.21-1.1+deb8u2, 1.4.33-1+deb9u1

Vulnerable software versions

Debian Linux: All versions

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://www.debian.org/security/2018/dsa-4218

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.