Multiple RCE flaws found in Memcached web speed tool

Facebook, Twitter, YouTube, Reddit among big ticket sites possibly affected

A remote code execution vulnerability in popular website backend performance tool Memcached has been found and squashed.

Cisco penetration tester Aleksandar Nikolich reported three remote code execution holes in the tool used by big name sites including Facebook, Twitter, YouTube, and Reddit to help decrease database burdens and increase performance.

Nikolich says the flaws can compromise the many sites that expose Memcache servers to the internet.

He says attackers can further use the vulnerabilities to bypass exploit defences address space layout randomisation. Here's his take on the situation:

"Multiple integer overflow vulnerabilities exist within Memcached that could be exploited to achieve remote code execution on the targeted system. These vulnerabilities manifest in various Memcached functions that are used in inserting, appending, prepending, or modifying key-value data pairs. Systems which also have Memcached compiled with support for SASL authentication are also vulnerable to a third flaw due to how Memcached handles SASL authentication commands.

The integer overflows flaws (CVE-2016-8704, CVE-2016-8705, CVE-2016-8706) affect version 1.4.31 of Memcached and earlier.

Nikollich says attackers can send repeat specifically-crafted Memcached commands to targeted servers making the attacks reliable and considered "severe".

It took Memcached authors only two days to build a patch but another 19 to prep it for release on 31 October.

A patch notice explains that "serious" remote code execution bugs were fixed relating to the binary protocol and SASL authentication.

"If you do not use the binary protocol at all, a workaround is to start memcached with -B ascii - otherwise you will need the patch in this release," they say.

Nikollich warns admins to apply the patch even to Memcached servers exposed to trusted environments, since attackers with existing access could move laterally into those networks.

"While it's strongly recommend that Memcached servers are setup so that they are only accessible within a trusted environment, many Memcached servers are setup so that they are accessible over the internet," he says.

Cisco has released Snort intrusion detection rules to detect Memcached exploitation attempts. ®


Biting the hand that feeds IT © 1998–2017