ID CVE-2016-8706
Summary An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
References
Vulnerable Configurations
  • cpe:2.3:a:memcached:memcached:1.4.31
    cpe:2.3:a:memcached:memcached:1.4.31
CVSS
Base: 6.8 (as of 09-01-2017 - 14:30)
Impact:
Exploitability:
CWE CWE-190
CAPEC
  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20161123_MEMCACHED_ON_SL7_X.NASL
    description Security Fix(es) : - Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705) - An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached's parsing of SASL authentication messages. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8706)
    last seen 2017-10-29
    modified 2017-01-16
    plugin id 95866
    published 2016-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95866
    title Scientific Linux Security Update : memcached on SL7.x x86_64
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201701-12.NASL
    description The remote host is affected by the vulnerability described in GLSA-201701-12 (memcached: Multiple vulnerabilities) Multiple integer overflow vulnerabilities were discovered in memcached. Please review the CVE identifiers and Cisco TALOS reports referenced below for details. Impact : A remote attacker could abuse memcached’s binary protocol leading to the remote execution of arbitrary code. Workaround : There is no known workaround at this time.
    last seen 2017-10-29
    modified 2017-10-02
    plugin id 96243
    published 2017-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96243
    title GLSA-201701-12 : memcached: Multiple vulnerabilities
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1086.NASL
    description According to the versions of the memcached package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705) - An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached's parsing of SASL authentication messages. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.(CVE-2016-8706) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-05-04
    plugin id 99845
    published 2017-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99845
    title EulerOS 2.0 SP1 : memcached (EulerOS-SA-2016-1086)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-0C4E822340.NASL
    description Update to the latest upstream release, which fixes CVE-2016-8704, CVE-2016-8705, CVE-2016-8706. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-01-16
    plugin id 95611
    published 2016-12-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95611
    title Fedora 25 : memcached (2016-0c4e822340)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-761.NASL
    description An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704 , CVE-2016-8705) An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached's parsing of SASL authentication messages. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8706)
    last seen 2017-10-29
    modified 2017-01-16
    plugin id 94681
    published 2016-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94681
    title Amazon Linux AMI : memcached (ALAS-2016-761)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3704.NASL
    description Aleksandar Nikolic of Cisco Talos discovered several integer overflow vulnerabilities in memcached, a high-performance memory object caching system. A remote attacker can take advantage of these flaws to cause a denial of service (daemon crash), or potentially to execute arbitrary code.
    last seen 2017-10-29
    modified 2017-01-16
    plugin id 94521
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94521
    title Debian DSA-3704-1 : memcached - security update
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2819.NASL
    description An update for memcached is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Security Fix(es) : * Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705) * An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached's parsing of SASL authentication messages. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8706)
    last seen 2017-10-29
    modified 2017-01-16
    plugin id 95291
    published 2016-11-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95291
    title RHEL 7 : memcached (RHSA-2016:2819)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_F4BF713F6AC74B76898047BF90C5419F.NASL
    description Cisco Talos reports : Multiple integer overflow vulnerabilities exist within Memcached that could be exploited to achieve remote code execution on the targeted system. These vulnerabilities manifest in various Memcached functions that are used in inserting, appending, prepending, or modifying key-value data pairs. Systems which also have Memcached compiled with support for SASL authentication are also vulnerable to a third flaw due to how Memcached handles SASL authentication commands. An attacker could exploit these vulnerabilities by sending a specifically crafted Memcached command to the targeted server. Additionally, these vulnerabilities could also be exploited to leak sensitive process information which an attacker could use to bypass common exploitation mitigations, such as ASLR, and can be triggered multiple times. This enables reliable exploitation which makes these vulnerabilities severe.
    last seen 2017-10-29
    modified 2017-01-16
    plugin id 94459
    published 2016-11-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94459
    title FreeBSD : memcached -- multiple vulnerabilities (f4bf713f-6ac7-4b76-8980-47bf90c5419f)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3120-1.NASL
    description Aleksandar Nikolic discovered that Memcached incorrectly handled certain malformed commands. A remote attacker could use this issue to cause Memcached to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-01-16
    plugin id 94509
    published 2016-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94509
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : memcached vulnerabilities (USN-3120-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-701.NASL
    description Multiple vulnerabilites have been found in memcached, a high-performance memory object caching system. A remote attacker could take advantage of these flaws to cause a denial of service (daemon crash), or potentially to execute arbitrary code. CVE-2013-7291 It was discovered that memcached, when running in verbose mode, can be crashed by sending carefully crafted requests that trigger an unbounded key print, resulting in a daemon crash. CVE-2016-8704, CVE-2016-8705, CVE-2016-8706 Aleksandar Nikolic of Cisco Talos found several vulnerabilities in memcached. A remote attacker could cause an integer overflow by sending carefully crafted requests to the memcached server, resulting in a daemon crash. For Debian 7 'Wheezy', these problems have been fixed in version 1.4.13-0.2+deb7u2. We recommend that you upgrade your memcached packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-01-16
    plugin id 94584
    published 2016-11-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94584
    title Debian DLA-701-1 : memcached security update
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-2819.NASL
    description An update for memcached is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Security Fix(es) : * Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705) * An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached's parsing of SASL authentication messages. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8706)
    last seen 2017-10-29
    modified 2017-01-16
    plugin id 95356
    published 2016-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95356
    title CentOS 7 : memcached (CESA-2016:2819)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1313.NASL
    description This update for memcached fixes the following security issues : - CVE-2016-8704: Server append/prepend remote code execution (boo#1007871) - CVE-2016-8705: Server update remote code execution (boo#1007870) - CVE-2016-8706: Server ASL authentication remote code execution (boo#1007869)
    last seen 2017-10-29
    modified 2017-01-16
    plugin id 94948
    published 2016-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94948
    title openSUSE Security Update : memcached (openSUSE-2016-1313)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1314.NASL
    description This update for memcached fixes the following security issues : - CVE-2016-8704: Server append/prepend remote code execution (boo#1007871) - CVE-2016-8705: Server update remote code execution (boo#1007870) - CVE-2016-8706: Server ASL authentication remote code execution (boo#1007869) In addition, memcached was updated to 1.4.33 to include all upstream improvements and bugfixes.
    last seen 2017-10-29
    modified 2017-01-16
    plugin id 94949
    published 2016-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94949
    title openSUSE Security Update : memcached (openSUSE-2016-1314)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-2819.NASL
    description From Red Hat Security Advisory 2016:2819 : An update for memcached is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Security Fix(es) : * Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705) * An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached's parsing of SASL authentication messages. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8706)
    last seen 2017-10-29
    modified 2017-01-16
    plugin id 95276
    published 2016-11-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95276
    title Oracle Linux 7 : memcached (ELSA-2016-2819)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-66C70CADB4.NASL
    description Security fix for CVE-2016-8704, CVE-2016-8705, CVE-2016-8706 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-01-16
    plugin id 94814
    published 2016-11-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94814
    title Fedora 24 : memcached (2016-66c70cadb4)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-4DF986A71F.NASL
    description Security fix for CVE-2016-8704, CVE-2016-8705, CVE-2016-8706 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-01-16
    plugin id 94804
    published 2016-11-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94804
    title Fedora 23 : memcached (2016-4df986a71f)
packetstorm via4
data source https://packetstormsecurity.com/files/download/139572/memcache-poc.txt
id PACKETSTORM:139572
last seen 2016-12-05
published 2016-11-03
reporter dawu
source https://packetstormsecurity.com/files/139572/Memcached-1.4.33-Proof-Of-Concept.html
title Memcached 1.4.33 Proof Of Concept
redhat via4
advisories
bugzilla
id 1390512
title CVE-2016-8706 memcached: SASL authentication remote code execution
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhsa:tst:20140675001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhsa:tst:20140675002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20140675003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20140675004
  • OR
    • AND
      • comment memcached is earlier than 0:1.4.15-10.el7_3.1
        oval oval:com.redhat.rhsa:tst:20162819007
      • comment memcached is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162819008
    • AND
      • comment memcached-devel is earlier than 0:1.4.15-10.el7_3.1
        oval oval:com.redhat.rhsa:tst:20162819005
      • comment memcached-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162819006
rhsa
id RHSA-2016:2819
released 2016-11-23
severity Important
title RHSA-2016:2819: memcached security update (Important)
rpms
  • memcached-0:1.4.15-10.el7_3.1
  • memcached-devel-0:1.4.15-10.el7_3.1
refmap via4
bid 94083
debian DSA-3704
gentoo GLSA-201701-12
misc http://www.talosintelligence.com/reports/TALOS-2016-0221/
sectrack 1037333
talos via4
id TALOS-2016-0221
last seen 2017-07-26
published 2016-10-31
reporter Talos Intelligence
source http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0221
title Memcached Server SASL Autentication Remote Code Execution Vulnerability
the hacker news via4
Last major update 17-01-2017 - 21:59
Published 06-01-2017 - 16:59
Last modified 27-07-2017 - 21:29
Back to Top