Bug 22688 - memcached new security issue CVE-2018-1000115
Summary: memcached new security issue CVE-2018-1000115
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-03 13:53 CET by David Walser
Modified: 2018-03-21 20:43 CET (History)
6 users (show)

See Also:
Source RPM: memcached-1.5.4-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-03-03 13:53:26 CET
A CVE was assigned for a configuration issue in memcached:
http://www.openwall.com/lists/oss-security/2018/03/03/1

The UDP protocol is vulnerable to amplification attacks, and is also considered deprecated.  Fortunately we have limited it to localhost in our configuration, so we're not especially vulnerable and probably don't need to push a stable update for this now, but our configuration should be updated again to disable the UDP protocol by default.

The issue is fixed by default in 1.5.6 upstream.
Comment 1 Marja Van Waes 2018-03-03 20:01:06 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some recent committers.

CC: (none) => mageia, marja11, mrambo, shlomif
Assignee: bugsquad => pkg-bugs

Marc Krämer 2018-03-04 22:00:11 CET

Assignee: pkg-bugs => mageia

Comment 2 Marc Krämer 2018-03-04 22:09:18 CET
I agree to you, by default we only use localhost, but this is easily changed whereas disable of UDP Port needs change of systemd config.

I've updated systemd config to disable UDP-Port in 6 and cauldron.
This change will take effect on the next memcached update to mageia 6.
Comment 3 David Walser 2018-03-09 14:26:47 CET
The Mageia 6 package should also be updated to a newer version, due to this note:
http://openwall.com/lists/oss-security/2018/03/08/1
Comment 4 David Walser 2018-03-09 14:27:45 CET
Specifically at least 1.4.37, according to this note:
http://openwall.com/lists/oss-security/2018/03/08/7
Comment 5 Marc Krämer 2018-03-09 20:46:29 CET
ok, that's a change. Never had those deadlocks, but if they exist, and we know it, I'll push an update later.
Comment 6 Marc Krämer 2018-03-11 15:59:31 CET
I'm not sure if I used the given testscript correctly, since even with our current release I was not able to get any buffer overflows or deadlocks. Nevertheless there is a new version on 6/updated_testing available:


Suggested advisory:
========================

Updated memcached packages fix security vulnerabilities:

Memcached enabled UDP by default, which could be exploited to denial of service via network flood (CVE-2018-1000115). By default this UPD is now closed.

With this release some overflow and deadlock situations get fixed too.

References:
========================
http://www.openwall.com/lists/oss-security/2018/03/03/1
http://openwall.com/lists/oss-security/2018/03/08/1
http://openwall.com/lists/oss-security/2018/03/08/7


Updated packages in core/updates_testing:
========================
memcached-1.5.6-1.mga6

Source RPMs:
memcached-1.5.6-1.mga6.src.rpm
Marc Krämer 2018-03-11 16:00:33 CET

Assignee: mageia => qa-bugs

Marc Krämer 2018-03-11 16:02:35 CET

Version: Cauldron => 6

Comment 7 claire robinson 2018-03-11 16:25:04 CET
Advisory uploaded.

Previous procedure at bug 12156 comment 8 but with UDP disabled this may now fail.

Keywords: (none) => advisory, has_procedure

Comment 8 PC LX 2018-03-12 00:17:05 CET
Installed and tested without issues.

System: Mageia 6, x86_64, Intel CPU.


# uname -a
Linux marte 4.14.25-desktop-1.mga6 #1 SMP Fri Mar 9 19:48:35 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q memcached
memcached-1.5.6-1.mga6
# systemctl start memcached@11211
# systemctl status memcached@11211
● memcached@11211.service - Memcached NoSQL key+value store on port 11211
   Loaded: loaded (/usr/lib/systemd/system/memcached@.service; disabled; vendor preset: enabled)
   Active: active (running) since Dom 2018-03-11 23:04:38 WET; 8min ago
  Process: 31107 ExecStart=/usr/bin/memcached -d -l $IPADDR -p %i -U 0 -m $CACHESIZE -t $THREADS -c $MAXCONN $OPTIONS -P /run/memcached/%i.pid (code=exited, status=0/SUCCESS)
 Main PID: 31108 (memcached)
      CPU: 78ms
   CGroup: /system.slice/system-memcached.slice/memcached@11211.service
           └─31108 /usr/bin/memcached -d -l 127.0.0.1 -p 11211 -U 0 -m 64 -t 4 -c 1024 -P /run/memcached/11211.pid

Mar 11 23:04:38 marte systemd[1]: Starting Memcached NoSQL key+value store on port 11211...
Mar 11 23:04:38 marte systemd[1]: memcached@11211.service: PID file /run/memcached/11211.pid not readable (yet?) after start: No such file or directory
Mar 11 23:04:38 marte systemd[1]: Started Memcached NoSQL key+value store on port 11211.
# lsof -nP | grep memcached.*IPv4
memcached 31108              memcached   26u     IPv4            2804753      0t0        TCP 127.0.0.1:11211 (LISTEN)
memcached 31108 31109        memcached   26u     IPv4            2804753      0t0        TCP 127.0.0.1:11211 (LISTEN)
memcached 31108 31110        memcached   26u     IPv4            2804753      0t0        TCP 127.0.0.1:11211 (LISTEN)
memcached 31108 31111        memcached   26u     IPv4            2804753      0t0        TCP 127.0.0.1:11211 (LISTEN)
memcached 31108 31112        memcached   26u     IPv4            2804753      0t0        TCP 127.0.0.1:11211 (LISTEN)
memcached 31108 31113        memcached   26u     IPv4            2804753      0t0        TCP 127.0.0.1:11211 (LISTEN)
memcached 31108 31114        memcached   26u     IPv4            2804753      0t0        TCP 127.0.0.1:11211 (LISTEN)
memcached 31108 31115        memcached   26u     IPv4            2804753      0t0        TCP 127.0.0.1:11211 (LISTEN)
memcached 31108 31116        memcached   26u     IPv4            2804753      0t0        TCP 127.0.0.1:11211 (LISTEN)
memcached 31108 31117        memcached   26u     IPv4            2804753      0t0        TCP 127.0.0.1:11211 (LISTEN)


$ cat test.php
#!/bin/php
<?php

$m = new Memcached();
$m->addServer('127.0.0.1', 11211);
$m->set('test', 'my test data : SUCCESS');
echo $m->get('test') . "\n";
$ php test.php
my test data : SUCCESS

CC: (none) => mageia
Whiteboard: (none) => MGA6-64-OK

Comment 9 claire robinson 2018-03-14 15:09:35 CET
Validating

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2018-03-14 17:22:11 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0165.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 11 David Walser 2018-03-21 20:43:13 CET
(In reply to David Walser from comment #4)
> Specifically at least 1.4.37, according to this note:
> http://openwall.com/lists/oss-security/2018/03/08/7

There's a CVE for the fix in 1.4.37, CVE-2018-1000127, so we fixed that here too.

Ubuntu has issued an advisory for that on March 19:
https://usn.ubuntu.com/3601-1/

Note You need to log in before you can comment on or make changes to this bug.