http://www.openwall.com/lists/oss-security/2013/04/30/3 http://insecurety.net/?p=872 http://www.sensepost.com/blog/4873.html However, ever since I added memcached to Mandriva I made it listen to 127.0.0.1, as a precaution. So, a default install is unaffected. Quite interesting reading these links though. Reproducible: Steps to Reproduce:
CC: (none) => luigiwalser
RedHat has a link to a proposed patch upstream: https://bugzilla.redhat.com/show_bug.cgi?id=957964#c6
Summary: CVE-2011-4971: memcached - remote Dos => memcached - remote Dos (CVE-2011-4971)
Changing the version assignment to Cauldron...assuming this hasn't been addressed yet.
Version: 2 => Cauldron
memcached-1.4.15-3.mga4, memcached-1.4.15-1.mga3 and memcached-1.4.15-1.mga2 has been submitted where this is fixed.
Thanks Oden. Note to QA: there's a PoC in the insecurity.net link in Comment 0. Advisory: ======================== Updated memcached packages fix security vulnerability: Memcached before 1.4.15 is vulnerable to a denial of service as it can be made to crash when it receives a specially crafted packet over the network (CVE-2011-4971). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4971 http://www.openwall.com/lists/oss-security/2013/04/30/3 https://bugzilla.redhat.com/show_bug.cgi?id=957964 ======================== Updated packages in core/updates_testing: ======================== memcached-1.4.15-1.mga2 memcached-devel-1.4.15-1.mga2 memcached-1.4.15-1.mga3 memcached-devel-1.4.15-1.mga3 from SRPMS: memcached-1.4.15-1.mga2.src.rpm memcached-1.4.15-1.mga3.src.rpm
Version: Cauldron => 3Assignee: bugsquad => qa-bugsWhiteboard: (none) => MGA2TOO
Whiteboard: MGA2TOO => MGA2TOO has_procedureSeverity: normal => critical
Testing complete mga2 32 Memcached uses a templated systemd service. # systemctl start memcached@11211.service # systemctl status memcached@11211.service memcached@11211.service - Memcached NoSQL key+value store on port 11211 Loaded: loaded (/lib/systemd/system/memcached@.service; enabled) Active: active (running) since Fri, 22 Nov 2013 13:02:33 +0000; 7s ago Process: 27595 ExecStart=/usr/bin/memcached -d -l $IPADDR -p %i -U %i -m $CACHESIZE -t $THREADS -c $MAXCONN $OPTIONS -P /var/run/memcached/%i.pid (code=exited, status=0/SUCCESS) Main PID: 27596 (memcached) CGroup: name=systemd:/system/memcached@.service/11211 â 27596 /usr/bin/memcached -d -l 127.0.0.1 -p 11211 -U 11211 -... The PoC doesn't kill it from localhost. Edited /lib/systemd/system/memcached@.service and changed IPADDR=127.0.0.1 to 0.0.0.0 in the Environment line so it listens to other than localhost. # systemctl --system daemon-reload then restarted the service and confirmed it was now -l 0.0.0.0 then tried the PoC from a different computer and it still didn't kill it. Confirmed with ps. $ python killthebox.py laptop 11211 Memcached Remote DoS - Bursting Clouds yo! [+] Target Host: laptop [+] Target Port: 11211 [+] Connected, firing payload! [+] Payload Sent! [*] Should be dead... Just going to check that the service starts Ok with the update installed and maybe that the PoC can at last connect to it. Which it does in this case.
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga2-32-ok
Testing complete mga2 64 The PoC is effective here even locally, but I did run it as root. Before ------ # systemctl start memcached@11211.service # systemctl status memcached@11211.servicememcached@11211.service - Memcached NoSQL key+value store on port 11211 Loaded: loaded (/lib/systemd/system/memcached@.service; enabled) Active: active (running) since Fri, 22 Nov 2013 13:50:05 +0000; 7s ago Process: 5214 ExecStart=/usr/bin/memcached -d -l $IPADDR -p %i -U %i -m $CACHESIZE -t $THREADS -c $MAXCONN $OPTIONS -P /var/run/memcached/%i.pid (code=exited, status=0/SUCCESS) Main PID: 5215 (memcached) CGroup: name=systemd:/system/memcached@.service/11211 â 5215 /usr/bin/memcached -d -l 127.0.0.1 -p 11211 -U 11211 -... # python killthebox.py localhost 11211 Memcached Remote DoS - Bursting Clouds yo! [+] Target Host: localhost [+] Target Port: 11211 [+] Connected, firing payload! [+] Payload Sent! [*] Should be dead... # systemctl status memcached@11211.servicememcached@11211.service - Memcached NoSQL key+value store on port 11211 Loaded: loaded (/lib/systemd/system/memcached@.service; enabled) Active: failed (Result: signal) since Fri, 22 Nov 2013 13:50:17 +0000; 2s ago Process: 5214 ExecStart=/usr/bin/memcached -d -l $IPADDR -p %i -U %i -m $CACHESIZE -t $THREADS -c $MAXCONN $OPTIONS -P /var/run/memcached/%i.pid (code=exited, status=0/SUCCESS) Main PID: 5215 (code=killed, signal=SEGV) CGroup: name=systemd:/system/memcached@.service/11211 Shows SEGV, segfault. After ----- # systemctl restart memcached@11211.service # systemctl status memcached@11211.service memcached@11211.service - Memcached NoSQL key+value store on port 11211 Loaded: loaded (/lib/systemd/system/memcached@.service; enabled) Active: active (running) since Fri, 22 Nov 2013 13:55:06 +0000; 4s ago Process: 5320 ExecStart=/usr/bin/memcached -d -l $IPADDR -p %i -U %i -m $CACHESIZE -t $THREADS -c $MAXCONN $OPTIONS -P /var/run/memcached/%i.pid (code=exited, status=0/SUCCESS) Main PID: 5321 (memcached) CGroup: name=systemd:/system/memcached@.service/11211 â 5321 /usr/bin/memcached -d -l 127.0.0.1 -p 11211 -U 11211 -... # python killthebox.py localhost 11211 Memcached Remote DoS - Bursting Clouds yo! [+] Target Host: localhost [+] Target Port: 11211 [+] Connected, firing payload! [+] Payload Sent! [*] Should be dead... # systemctl status memcached@11211.servicememcached@11211.service - Memcached NoSQL key+value store on port 11211 Loaded: loaded (/lib/systemd/system/memcached@.service; enabled) Active: active (running) since Fri, 22 Nov 2013 13:55:06 +0000; 20s ago Process: 5320 ExecStart=/usr/bin/memcached -d -l $IPADDR -p %i -U %i -m $CACHESIZE -t $THREADS -c $MAXCONN $OPTIONS -P /var/run/memcached/%i.pid (code=exited, status=0/SUCCESS) Main PID: 5321 (memcached) CGroup: name=systemd:/system/memcached@.service/11211 â 5321 /usr/bin/memcached -d -l 127.0.0.1 -p 11211 -U 11211 -...
Whiteboard: MGA2TOO has_procedure mga2-32-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok
Testing complete mga3 32 & 64 Before :( --------- systemd[1]: memcached@11211.service: main process exited, code=killed, status=11/SEGV After :) -------- systemd[1]: Started Memcached NoSQL key+value store on port 11211. Happy daemon.
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Validating. Advisory uploaded. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
FYI. "make test" has the poc and passes.
The advisory is slightly wrong. Advisory: ======================== Updated memcached packages fix security vulnerability: Memcached is vulnerable to a denial of service as it can be made to crash when it receives a specially crafted packet over the network (CVE-2011-4971). The updated packages has been upgraded to the 1.4.15 version and patched to resolve this flaw.
Updated, thanks.
Update pushed: http://advisories.mageia.org/MGASA-2013-0339.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4971 => http://lwn.net/Vulnerabilities/574929/