The maintainers of the popular memcached open source distributed memory caching tool have quickly resolved a remote denial-of-service vulnerability that was disclosed publicly Monday, along with proof-of-concept exploit code.
The bug is caused by a buffer overflow in the memcached code and if an attacker can supply a long enough value as the buggy parameter, the application will crash. On Monday, someone posted the details of the vulnerability and the PoC code to GitHub, which was apparently the first indication that the application’s maintainers got about the issue. The bug affects versions 1.6.0 and 1.6.1.
“In line 6179, since there is no mechanism to verify the parameter's length, in this case, the length of "extlen" when calling memcpy function, It will cause buffer overflow if large value assigned to the extlen variable,” the bug disclosure says.
“We can construct a very large data packet and send it to the server running memcached 1.6.0 or 1.6.1 anonymously. After that, the program will crash because of the issue mentioned above.”
Memcached has been in use for more than 15 years and is used in a number of environments. It’s designed to help web apps run faster by sharing memory and it can allocate memory from places that have too much to areas that don’t have enough.
Within a few hours of the issue surfacing on GitHub, one of the maintainers of memcached had released a new version that fixes the DoS vulnerability, version 1.6.2. The maintainer seemed none too pleased with the public disclosure of the vulnerability.
“I've been responsive to security reports (or even report them myself) and give credit happily when due for over ten years. Don't waste my good will, please,” the maintainer, Dormando, said in a comment on the bug disclosure.