CVE-2016-8705 - Multiple integer overflows in process_bin_update function in Memcached, which is responsible for pro

CVE-2016-8705

Summary

Multiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.

References

Vulnerable Configurations

cpe:2.3:a:memcached:memcached:1.2.7:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.2.7:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.2.8:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.2.8:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.3:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.3:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.4:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.4:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.5:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.5:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.6:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.6:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.7:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.7:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.8:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.8:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.9:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.9:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.10:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.10:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.11:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.11:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.12:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.12:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.13:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.13:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.14:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.14:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.15:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.15:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.16:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.16:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.17:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.17:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.18:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.18:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.19:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.19:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.20:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.20:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.21:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.21:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.22:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.22:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.23:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.23:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.24:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.24:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.25:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.25:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.26:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.26:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.27:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.27:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.28:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.28:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.29:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.29:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.30:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.30:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.31:*:*:*:*:*:*:*
cpe:2.3:a:memcached:memcached:1.4.31:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 19-04-2022 - 20:15)
Impact:
Exploitability:

CWE

CWE-190

CAPEC

Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

redhat via4

advisories

bugzilla

id	1390511
title	CVE-2016-8705 memcached: Server update remote code execution

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 6 is installed
oval oval:com.redhat.rhba:tst:20111656003

AND
comment memcached is earlier than 0:1.4.4-3.el6_8.1
oval oval:com.redhat.rhsa:tst:20162820001
comment memcached is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20162819002

AND

comment memcached-devel is earlier than 0:1.4.4-3.el6_8.1
oval oval:com.redhat.rhsa:tst:20162820003
comment memcached-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20162819004

rhsa

id	RHSA-2016:2820
released	2016-11-23
severity	Important
title	RHSA-2016:2820: memcached security update (Important)

rhsa
id RHSA-2016:2819
rhsa
id RHSA-2017:0059

rpms

memcached-0:1.4.15-10.el7_3.1
memcached-debuginfo-0:1.4.15-10.el7_3.1
memcached-devel-0:1.4.15-10.el7_3.1
memcached-0:1.4.4-3.el6_8.1
memcached-debuginfo-0:1.4.4-3.el6_8.1
memcached-devel-0:1.4.4-3.el6_8.1
rhmap-fh-openshift-templates-0:1.0.0-5.el7

refmap via4

bid	94083
debian	DSA-3704
gentoo	GLSA-201701-12
misc	http://www.talosintelligence.com/reports/TALOS-2016-0220/
sectrack	1037333

Last major update

19-04-2022 - 20:15

Published

06-01-2017 - 21:59

Last modified

19-04-2022 - 20:15