Bug 9928 - memcached - remote Dos (CVE-2011-4971)
: memcached - remote Dos (CVE-2011-4971)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/574929/
: MGA2TOO has_procedure mga2-32-ok mga2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-04-30 07:14 CEST by Oden Eriksson
Modified: 2013-11-25 19:26 CET (History)
3 users (show)

See Also:
Source RPM: memcached
CVE:
Status comment:


Attachments

Description Oden Eriksson 2013-04-30 07:14:20 CEST
http://www.openwall.com/lists/oss-security/2013/04/30/3
http://insecurety.net/?p=872
http://www.sensepost.com/blog/4873.html

However, ever since I added memcached to Mandriva I made it listen to 127.0.0.1, as a precaution. So, a default install is unaffected.

Quite interesting reading these links though.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-08-11 16:25:32 CEST
RedHat has a link to a proposed patch upstream:
https://bugzilla.redhat.com/show_bug.cgi?id=957964#c6
Comment 2 David Walser 2013-11-21 22:59:11 CET
Changing the version assignment to Cauldron...assuming this hasn't been addressed yet.
Comment 3 Oden Eriksson 2013-11-22 10:59:51 CET
memcached-1.4.15-3.mga4, memcached-1.4.15-1.mga3 and memcached-1.4.15-1.mga2 has been submitted where this is fixed.
Comment 4 David Walser 2013-11-22 13:24:08 CET
Thanks Oden.

Note to QA: there's a PoC in the insecurity.net link in Comment 0.

Advisory:
========================

Updated memcached packages fix security vulnerability:

Memcached before 1.4.15 is vulnerable to a denial of service as it can be made
to crash when it receives a specially crafted packet over the network
(CVE-2011-4971).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4971
http://www.openwall.com/lists/oss-security/2013/04/30/3
https://bugzilla.redhat.com/show_bug.cgi?id=957964
========================

Updated packages in core/updates_testing:
========================
memcached-1.4.15-1.mga2
memcached-devel-1.4.15-1.mga2
memcached-1.4.15-1.mga3
memcached-devel-1.4.15-1.mga3

from SRPMS:
memcached-1.4.15-1.mga2.src.rpm
memcached-1.4.15-1.mga3.src.rpm
Comment 5 claire robinson 2013-11-22 14:45:15 CET
Testing complete mga2 32

Memcached uses a templated systemd service.

# systemctl start memcached@11211.service

# systemctl status memcached@11211.service
memcached@11211.service - Memcached NoSQL key+value store on port 11211
          Loaded: loaded (/lib/systemd/system/memcached@.service; enabled)
          Active: active (running) since Fri, 22 Nov 2013 13:02:33 +0000; 7s ago
         Process: 27595 ExecStart=/usr/bin/memcached -d -l $IPADDR -p %i -U %i -m $CACHESIZE -t $THREADS -c $MAXCONN $OPTIONS -P /var/run/memcached/%i.pid (code=exited, status=0/SUCCESS)
        Main PID: 27596 (memcached)
          CGroup: name=systemd:/system/memcached@.service/11211
                  └ 27596 /usr/bin/memcached -d -l 127.0.0.1 -p 11211 -U 11211 -...

The PoC doesn't kill it from localhost.

Edited /lib/systemd/system/memcached@.service and changed IPADDR=127.0.0.1 to 0.0.0.0 in the Environment line so it listens to other than localhost.

# systemctl --system daemon-reload

then restarted the service and confirmed it was now -l 0.0.0.0 then tried the PoC from a different computer and it still didn't kill it. Confirmed with ps.

$ python killthebox.py laptop 11211
Memcached Remote DoS - Bursting Clouds yo!
[+] Target Host: laptop
[+] Target Port: 11211
[+] Connected, firing payload!
[+] Payload Sent!
[*] Should be dead...

Just going to check that the service starts Ok with the update installed and maybe that the PoC can at last connect to it. Which it does in this case.
Comment 6 claire robinson 2013-11-22 14:56:41 CET
Testing complete mga2 64

The PoC is effective here even locally, but I did run it as root.

Before
------
# systemctl start memcached@11211.service
# systemctl status memcached@11211.servicememcached@11211.service - Memcached NoSQL key+value store on port 11211
          Loaded: loaded (/lib/systemd/system/memcached@.service; enabled)
          Active: active (running) since Fri, 22 Nov 2013 13:50:05 +0000; 7s ago
         Process: 5214 ExecStart=/usr/bin/memcached -d -l $IPADDR -p %i -U %i -m $CACHESIZE -t $THREADS -c $MAXCONN $OPTIONS -P /var/run/memcached/%i.pid (code=exited, status=0/SUCCESS)
        Main PID: 5215 (memcached)
          CGroup: name=systemd:/system/memcached@.service/11211
                  └ 5215 /usr/bin/memcached -d -l 127.0.0.1 -p 11211 -U 11211 -...

# python killthebox.py localhost 11211

Memcached Remote DoS - Bursting Clouds yo!
[+] Target Host: localhost
[+] Target Port: 11211
[+] Connected, firing payload!
[+] Payload Sent!
[*] Should be dead...

# systemctl status memcached@11211.servicememcached@11211.service - Memcached NoSQL key+value store on port 11211
          Loaded: loaded (/lib/systemd/system/memcached@.service; enabled)
          Active: failed (Result: signal) since Fri, 22 Nov 2013 13:50:17 +0000; 2s ago
         Process: 5214 ExecStart=/usr/bin/memcached -d -l $IPADDR -p %i -U %i -m $CACHESIZE -t $THREADS -c $MAXCONN $OPTIONS -P /var/run/memcached/%i.pid (code=exited, status=0/SUCCESS)
        Main PID: 5215 (code=killed, signal=SEGV)
          CGroup: name=systemd:/system/memcached@.service/11211


Shows SEGV, segfault.



After
-----
# systemctl restart memcached@11211.service
# systemctl status memcached@11211.service
memcached@11211.service - Memcached NoSQL key+value store on port 11211
          Loaded: loaded (/lib/systemd/system/memcached@.service; enabled)
          Active: active (running) since Fri, 22 Nov 2013 13:55:06 +0000; 4s ago
         Process: 5320 ExecStart=/usr/bin/memcached -d -l $IPADDR -p %i -U %i -m $CACHESIZE -t $THREADS -c $MAXCONN $OPTIONS -P /var/run/memcached/%i.pid (code=exited, status=0/SUCCESS)
        Main PID: 5321 (memcached)
          CGroup: name=systemd:/system/memcached@.service/11211
                  └ 5321 /usr/bin/memcached -d -l 127.0.0.1 -p 11211 -U 11211 -...

# python killthebox.py localhost 11211
Memcached Remote DoS - Bursting Clouds yo!
[+] Target Host: localhost
[+] Target Port: 11211
[+] Connected, firing payload!
[+] Payload Sent!
[*] Should be dead...

# systemctl status memcached@11211.servicememcached@11211.service - Memcached NoSQL key+value store on port 11211
          Loaded: loaded (/lib/systemd/system/memcached@.service; enabled)
          Active: active (running) since Fri, 22 Nov 2013 13:55:06 +0000; 20s ago
         Process: 5320 ExecStart=/usr/bin/memcached -d -l $IPADDR -p %i -U %i -m $CACHESIZE -t $THREADS -c $MAXCONN $OPTIONS -P /var/run/memcached/%i.pid (code=exited, status=0/SUCCESS)
        Main PID: 5321 (memcached)
          CGroup: name=systemd:/system/memcached@.service/11211
                  └ 5321 /usr/bin/memcached -d -l 127.0.0.1 -p 11211 -U 11211 -...
Comment 7 claire robinson 2013-11-22 15:09:24 CET
Testing complete mga3 32 & 64

Before :(
---------
systemd[1]: memcached@11211.service: main process exited, code=killed, status=11/SEGV


After :)
--------
systemd[1]: Started Memcached NoSQL key+value store on port 11211.

Happy daemon.
Comment 8 claire robinson 2013-11-22 15:14:50 CET
Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 9 Oden Eriksson 2013-11-22 15:18:58 CET
FYI. "make test" has the poc and passes.
Comment 10 Oden Eriksson 2013-11-22 16:10:20 CET
The advisory is slightly wrong.

Advisory:
========================

Updated memcached packages fix security vulnerability:

Memcached is vulnerable to a denial of service as it can be made to crash when it receives a specially crafted packet over the network (CVE-2011-4971).

The updated packages has been upgraded to the 1.4.15 version and patched to resolve this flaw.
Comment 11 claire robinson 2013-11-22 16:12:40 CET
Updated, thanks.
Comment 12 Thomas Backlund 2013-11-22 20:21:36 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0339.html

Note You need to log in before you can comment on or make changes to this bug.