Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.DEB.2.20.1803071743230.20789@di7>
Date: Wed, 7 Mar 2018 17:48:56 -0800 (PST)
From: dormando <dormando@...ia.net>
To: oss-security@...ts.openwall.com
Subject: Memcached remote DoS in older versions

Hello,

There are a number of hang/crash bugs fixed in older versions of
memcached. All are noted in the release notes of the versions containing
the respective fixes, and most are years old.

I'm writing this in case pointing this out can help drive users to close
their instances from the internet; aside from participating in DDoS
attacks and remote users being able to read any data stored in the
instances, they can also be crashed or deadlocked.

I have a working POC deadlock for versions 1.4.20ish to 1.4.37. Older ones
should still be vulernable as well. I can supply the POC if there's
interest, or adjust it for even older versions. The POC only takes a few
seconds and kilobytes over a TCP connection and causes a mutex deadlock.

Thanks,
-Dormando

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.