Memcached Memcached Server 1.4.33 Released - security fix

eva2000 · Nov 3, 2016

Memcached Server 1.4.33 Security Fix Release

Centmin Mod LEMP stack by default install Memcached server so everyone who uses Centmin Mod needs to update to fix security vulnerabilities CVE-2016-8704, CVE-2016-8705 and CVE-2016-8706

Updated both Centmin Mod 123.08stable and 123.09beta01 builds to default to Memcached server 1.4.33 security fix release. Once you update your local server Centmin Mod branch code via centmin.sh menu option 23 outlined below. You will need to exit centmin.sh and re-run centmin.sh again and run centmin.sh menu option 10 to update Memcached server to 1.4.33.

To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:

Centmin Mod 1.2.3-eva2000.08 stable install & update thread

Centmin Mod 123.09beta thread

Example of centmin.sh menu option 23 git updating code.

centmin.sh menu option 10 after 123.09beta01 or 123.08stable update via centmin.sh menu option 23 submenu option 2.
Code (Text):
--------------------------------------------------------
     Centmin Mod Menu 123.09beta01 centminmod.com   
--------------------------------------------------------
1).  Centmin Install
2).  Add Nginx vhost domain
3).  NSD setup domain name DNS
4).  Nginx Upgrade / Downgrade
5).  PHP Upgrade / Downgrade
6).  XCache Re-install
7).  APC Cache Re-install
8).  XCache Install
9).  APC Cache Install
10). Memcached Server Re-install
11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
12). Zend OpCache Install/Re-install
13). Install/Reinstall Redis PHP Extension
14). SELinux disable
15). Install/Reinstall ImagicK PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: pigz,pbzip2,lbzip2...
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Install/Re-Install
21). Update - Nginx + PHP-FPM + Siege
22). Add Wordpress Nginx vhost + Cache Plugin
23). Update Centmin Mod Code Base
24). Exit
--------------------------------------------------------
Enter option [ 1 - 24 ] 10
--------------------------------------------------------
check Memcached server version installed
Code (Text):
memcached -V
memcached 1.4.33
ReleaseNotes1433 · memcached/memcached Wiki · GitHub

Overview
Serious remote code execution bugs are fixed in this release.

The bugs are related to the binary protocol as well as SASL authentication of the binary protocol.

If you do not use the binary protocol at all, a workaround is to start memcached with -B ascii - otherwise you will need the patch in this release.

The diff may apply cleanly to older versions as the affected code has not changed in a long time.

Full details of the issue may be found here: Cisco Talos Blog: Vulnerability Spotlight: Remotely Exploitable Bugs in Memcached Identified and Patched

Fixes

CVE reported by cisco talos

New Features

None.

Click to expand...

Memcached 1.4.33
Code (Text):
echo stats | nc 127.0.0.1 11211
STAT pid 15529
STAT uptime 16
STAT time 1472078773
STAT version 1.4.33
STAT libevent 2.0.22-stable
STAT pointer_size 64
STAT rusage_user 0.001503
STAT rusage_system 0.014412
STAT curr_connections 5
STAT total_connections 6
STAT rejected_connections 0
STAT connection_structures 6
STAT reserved_fds 20
STAT cmd_get 0
STAT cmd_set 0
STAT cmd_flush 0
STAT cmd_touch 0
STAT get_hits 0
STAT get_misses 0
STAT get_expired 0
STAT get_flushed 0
STAT delete_misses 0
STAT delete_hits 0
STAT incr_misses 0
STAT incr_hits 0
STAT decr_misses 0
STAT decr_hits 0
STAT cas_misses 0
STAT cas_hits 0
STAT cas_badval 0
STAT touch_hits 0
STAT touch_misses 0
STAT auth_cmds 0
STAT auth_errors 0
STAT bytes_read 6
STAT bytes_written 0
STAT limit_maxbytes 5368709120
STAT accepting_conns 1
STAT listen_disabled_num 0
STAT time_in_listen_disabled_us 0
STAT threads 4
STAT conn_yields 0
STAT hash_power_level 16
STAT hash_bytes 524288
STAT hash_is_expanding 0
STAT slab_reassign_rescues 0
STAT slab_reassign_chunk_rescues 0
STAT slab_reassign_evictions_nomem 0
STAT slab_reassign_inline_reclaim 0
STAT slab_reassign_busy_items 0
STAT slab_reassign_running 0
STAT slabs_moved 0
STAT lru_crawler_running 0
STAT lru_crawler_starts 63
STAT lru_maintainer_juggles 171
STAT malloc_fails 0
STAT log_worker_dropped 0
STAT log_worker_written 0
STAT log_watcher_skipped 0
STAT log_watcher_sent 0
STAT bytes 0
STAT curr_items 0
STAT total_items 0
STAT slab_global_page_pool 0
STAT expired_unfetched 0
STAT evicted_unfetched 0
STAT evictions 0
STAT reclaimed 0
STAT crawler_reclaimed 0
STAT crawler_items_checked 0
STAT lrutail_reflocked 0
STAT moves_to_cold 0
STAT moves_to_warm 0
STAT moves_within_lru 0
STAT direct_reclaims 0
END
CVE Details

From Cisco Talos Blog: Vulnerability Spotlight: Remotely Exploitable Bugs in Memcached Identified and Patched

VULNERABILITY DETAILS
Multiple integer overflow vulnerabilities exist within Memcached that could be exploited to achieve remote code execution on the targeted system. These vulnerabilities manifest in various Memcached functions that are used in inserting, appending, prepending, or modifying key-value data pairs. Systems which also have Memcached compiled with support for SASL authentication are also vulnerable to a third flaw due to how Memcached handles SASL authentication commands.

An attacker could exploit these vulnerabilities by sending a specifically crafted Memcached command to the targeted server. Additionally, these vulnerabilities could also be exploited to leak sensitive process information which an attacker could use to bypass common exploitation mitigations, such as ASLR, and can be triggered multiple times. This enables reliable exploitation which makes these vulnerabilities severe.

While it's strongly recommend that Memcached servers are setup so that they are only accessible within a trusted environment, many Memcached servers are setup so that they are accessible over the internet. Additionally, administrators should not neglect Memcached deployments in "trusted" environments as attackers may target vulnerable servers to move laterally within a network.

TALOS-2016-0219 - Memcached Server Append/Prepend Remote Code Execution Vulnerability

TALOS-2016-0220 - Memcached Server Update Remote Code Execution Vulnerability

TALOS-2016-0221 - Memcached Server SASL Authentication Remote Code Execution Vulnerability

For more detail on each vulnerability, please refer to the linked vulnerability report or visit the Vulnerability Report portal on our website:

Cisco Talos - Vulnerability Reports
Click to expand...

In The Media

Multiple Critical Remotely Exploitable Flaws Discovered in Memcached Caching System

Multiple RCE flaws found in Memcached web speed tool • The Register

Sunka · Nov 3, 2016

Done.
But we who do not use memcache at all (using redis), how to uninstall it?

eva2000 · Nov 3, 2016

don't uninstall but disable/turn off see Memcached Server - CentminMod.com LEMP Nginx web stack for CentOS

eva2000 · Nov 3, 2016

From Multiple Critical Remotely Exploitable Flaws Discovered in Memcached Caching System

Hackers Can Remotely Steal Sensitive Information

If exploited, the vulnerabilities could allow attackers to send repeat specifically-crafted Memcached commands to the targeted servers.

Moreover, the flaws could also be exploited to leak sensitive process information that can further be used to bypass standard exploitation mitigations, like ASLR (Address Space Layout Randomisation), making the attacks reliable and considerably "severe."

By default, Memcached service installed on your server is available to the world on TCP port 11211, so it has always been strongly recommended to limit its access within a trusted environment, behind the firewall.

So, if you have not yet updated your software to the latest release and Memcached service is publically accessible, an attacker can simply exploit these vulnerabilities to remotely steal sensitive information cached by the server without your knowledge.

What's even worse? These flaws could allow hackers to replace cached content with their malicious one in order to deface the website, serve phishing pages and malicious links to hijack victim's machine, placing hundreds of millions of online users at risk.
Click to expand...

Note, Centmin Mod installs CSF Firewall by default out of the box and Memcached port 11211 is not whitelisted anymore for public access to port 11211. You can verify this via this grep command on CSF config file /etc/csf/csf.conf and if command returns empty it means no mention of 11211 exists in the config file so memcached port 11211 is not publicly accessible anyway.
Code (Text):
grep '11211' /etc/csf/csf.conf

dorobo · Nov 3, 2016

Code:

# memcached -V
-bash: memcached: command not found

I'm safe right?

Matt · Nov 3, 2016

Anyone using Remi repo for their other servers has the updated version available :

Code (Text):

# yum --enablerepo=remi update memcached
Loaded plugins: fastestmirror
Setting up Update Process
Loading mirror speeds from cached hostfile
epel/metalink                                                                                                                                                                                                    |  24 kB     00:00    
 * base: fr.mirror.babylon.network
 * epel: fr.mirror.babylon.network
 * extras: fr.mirror.babylon.network
 * remi: fr.mirror.babylon.network
 * remi-safe: fr.mirror.babylon.network
 * updates: centos.quelquesmots.fr
MariaDB100                                                                                                                                                                                                       | 2.9 kB     00:00    
base                                                                                                                                                                                                             | 3.7 kB     00:00    
elasticsearch-2.x                                                                                                                                                                                                | 2.9 kB     00:00    
extras                                                                                                                                                                                                           | 3.4 kB     00:00    
newrelic                                                                                                                                                                                                         |  951 B     00:00    
remi                                                                                                                                                                                                             | 2.9 kB     00:00    
remi/primary_db                                                                                                                                                                                                  | 1.6 MB     00:00    
remi-safe                                                                                                                                                                                                        | 2.9 kB     00:00    
updates                                                                                                                                                                                                          | 3.4 kB     00:00    
updates/primary_db                                                                                                                                                                                               | 3.1 MB     00:00    
Resolving Dependencies
--> Running transaction check
---> Package memcached.x86_64 0:1.4.31-1.el6.remi will be updated
---> Package memcached.x86_64 0:1.4.33-1.el6.remi will be an update
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================================================================================================================================
 Package                                                 Arch                                                 Version                                                          Repository                                          Size
========================================================================================================================================================================================================================================
Updating:
 memcached                                               x86_64                                               1.4.33-1.el6.remi                                                remi                                               107 k

Transaction Summary
========================================================================================================================================================================================================================================
Upgrade       1 Package(s)

Total download size: 107 k
Is this ok [y/N]: y
Downloading Packages:
memcached-1.4.33-1.el6.remi.x86_64.rpm                                                                                                                                                                           | 107 kB     00:00    
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : memcached-1.4.33-1.el6.remi.x86_64                                                                                                                                                                                   1/2 
  Cleanup    : memcached-1.4.31-1.el6.remi.x86_64                                                                                                                                                                                   2/2 
  Verifying  : memcached-1.4.33-1.el6.remi.x86_64                                                                                                                                                                                   1/2 
  Verifying  : memcached-1.4.31-1.el6.remi.x86_64                                                                                                                                                                                   2/2 

Updated:
  memcached.x86_64 0:1.4.33-1.el6.remi                                                                                                                                                                                                  

Complete!

eva2000 · Nov 3, 2016

dorobo said: ↑
Code:
# memcached -V
-bash: memcached: command not found
I'm safe right?
Click to expand...
looks like memcached wasn't installed correctly ? if you ran centmin.sh menu option 10, it will install it again.

Matt said: ↑

Anyone using Remi repo for their other servers has the updated version available :
Click to expand...

yeah remi repo version has update too. Centmin Mod doesn't use Remi repo for memcached as it has other customisations/optimisations in Memcached not available in yum repo version including special setup for OpenVZ VPSes for more sane memory usage.

also 123.09beta01 has other intel processor specific optimisations that are optional if you set in persistent config file GENERAL_DEVTOOLSETGCC='y' https://community.centminmod.com/th...ble-to-enable-devtoolset-3-gcc-4-9-in-….9020/

dorobo · Nov 3, 2016

eva2000 said: ↑

looks like memcached wasn't installed correctly ? if you ran centmin.sh menu option 10, it will install it again.
Click to expand...

My custom config includes
Code (Text):
MEMCACHED_DISABLED=y
MEMCACHED_INSTALL=n
PHP_MEMCACHE='n'
PHP_MEMCACHED='n'

eva2000 · Nov 3, 2016

dorobo said: ↑

MEMCACHED_INSTALL=n
Click to expand...

that's why.. no memcached server installed when initial install of centmin mod

Derek · Nov 3, 2016

Done. I'm kind of surprised we don't need to restart nginx.

eva2000 · Nov 3, 2016

centmin.sh menu option 10 restarts php-fpm with memcached php extension and memcached server updates. Memcached you wouldn't need nginx restart unless you are have manually setup memcached at nginx vhost level in your site's nginx vhost.

deltahf · Nov 7, 2016

Thanks for the update! Upgrade complete.
dorobo said: ↑
Code:
# memcached -V
-bash: memcached: command not found
I'm safe right?
Click to expand...
eva2000 said: ↑

looks like memcached wasn't installed correctly ? if you ran centmin.sh menu option 10, it will install it again.
Click to expand...

I actually had the same issue. memcached -V did not work for me, even though memcached is running fine on my server.

I had to run /usr/local/bin/memcached -V to get the version number.

dorobo · Nov 7, 2016

deltahf said: ↑

I had to run /usr/local/bin/memcached -V to get the version number.
Click to expand...
Code (Text):
# /usr/local/bin/memcached -V
-bash: /usr/local/bin/memcached: No such file or directory
I have no use for memcache that's why I disabled it in /etc/centminmod/custom_config.inc

eva2000 · Nov 7, 2016

deltahf said: ↑

Thanks for the update! Upgrade complete.

I actually had the same issue. memcached -V did not work for me, even though memcached is running fine on my server.

I had to run /usr/local/bin/memcached -V to get the version number.
Click to expand...

strange you should be able to what you get get for command output for
Code (Text):
which memcached
echo $PATH
example
Code (Text):
which memcached
/usr/local/bin/memcached
Code (Text):
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/root/bin

deltahf · Nov 8, 2016

Here's my results:

Code (Text):

$ which memcached
/usr/bin/which: no memcached in (/usr/lib64/ccache:/usr/lib64/ccache:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/root/bin:)

$ echo $PATH
/usr/lib64/ccache:/usr/lib64/ccache:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/root/bin:

eva2000 · Nov 8, 2016

deltahf said: ↑
Here's my results:
Code (Text):
$ which memcached
/usr/bin/which: no memcached in (/usr/lib64/ccache:/usr/lib64/ccache:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/root/bin:)

$ echo $PATH
/usr/lib64/ccache:/usr/lib64/ccache:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/root/bin:
Click to expand...
in /root/.bashrc there's an export PATH line that you need to manually correct. Backup /root/.bashrc first and then change it to
Code (Text):
export PATH="$PATH:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin"
then log out of ssh session and backup to very which memcached command

deltahf · Nov 8, 2016

Thanks!

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

Memcached Memcached Server 1.4.33 Released - security fix

eva2000 Administrator Staff Member

Memcached Server 1.4.33 Security Fix Release

CVE Details

In The Media

Sunka Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

dorobo Active Member

Matt Moderator Staff Member

eva2000 Administrator Staff Member

dorobo Active Member

eva2000 Administrator Staff Member

Derek Member

eva2000 Administrator Staff Member

deltahf Premium Member Premium Member

dorobo Active Member

eva2000 Administrator Staff Member

deltahf Premium Member Premium Member

eva2000 Administrator Staff Member

deltahf Premium Member Premium Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

Memcached Memcached Server 1.4.33 Released - security fix

eva2000 Administrator Staff Member

Memcached Server 1.4.33 Security Fix Release

CVE Details

In The Media

Sunka Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

dorobo Active Member

Matt Moderator Staff Member

eva2000 Administrator Staff Member

dorobo Active Member

eva2000 Administrator Staff Member

Derek Member

eva2000 Administrator Staff Member

deltahf Premium Member Premium Member

dorobo Active Member

eva2000 Administrator Staff Member

deltahf Premium Member Premium Member

eva2000 Administrator Staff Member

deltahf Premium Member Premium Member

.