Memcached has a crash-me bug, but hey, only about 83,000 public-facing servers appear to be running it

An annoying security flaw been disclosed and promptly fixed in the fairly popular memcached distributed data-caching software.

On Monday morning a netizen with the handle IceJi publicly revealed the presence of that could be exploited to crash the software: specifically, the flaw is a buffer-overflow in the binary protocol header in memcached versions 1.6.0 and 1.6.1. Developers were not warned of the bug prior to the public disclosure.

A project maintainer, Dormando, told The Register that the bug was addressed just hours after being reported, and admins can get the fix by updating to the new version 1.6.2.

The flaw itself appears to be down to a simple missing sanity check on the parameter extlen in an memcpy() function call:

6178   char extbuf[sizeof(c->binary_header) + BIN_MAX_EXTLEN];
6179   memcpy(extbuf + sizeof(c->binary_header), c->rcurr + sizeof(c->binary_header), extlen);

If an attacker can make extlen large, a buffer overflow occurs, crashing the software. There is no word on whether this can be used to achieve remote-code execution.

The decision to drop the bug as a zero-day drew criticism from many on the project, who pointed out that conventionally developers are given advance, private notice of several weeks to patch bugs before their details become public.

Debates about the merits of coordinated disclosure aside, server admins will want to patch this bug promptly. You shouldn't really leave memcached facing the internet, just in case, but to be safe rather than sorry: update when you can. Having said that, there are tens of thousands of servers facing the internet that appear to be running memcached on its default port of 11211.

According a quick Shodan.io probe by El Reg on Monday, some 83,000 machines worldwide have something running on that port exposed to the open internet – some could be other services, though, it may not all be memcached.

It is not known how many of those would have the vulnerable component accessible, or how many are even running one of the two vulnerable versions: the flaw was introduced in 1.6.0. Still, it would be wise to get updated ASAP. ®