Memcached is a popular open-source, multi-platform database- caching software program used to alleviate repetitive database operations. It was originally developed by Danga Interactive. MemcacheDB is a fork of the memcached project which adds persistent storage using the BerkeleyDB database engine.
An implementation weakness that impacts security was identified in memcached v1.2.7 and MemcacheDB v1.2.0. Users in high-security environments should consider upgrading to memcached v1.2.8 and/or a fixed version of MemcacheDB to protect against potential attacks.
Vulnerable Systems:
* memcached version 1.2.7
* MemcacheDB version 1.2.0
By simply connecting to the memcached TCP port (default: 11211) or MemcacheDB's TCP port (default: 21201) and issuing a 'stats maps' command, the software will directly pipe the output of /proc/self/maps to the client (see memcached.c:1153 and memcachedb.c:946).
Since neither memcached nor MemcacheDB do any authentication, a well-known requirement is that the services must never be accessible by untrusted machines. If an untrusted machine were to access the services, then any contents of the cache could be read and/or modified; arbitrary data could be inserted as well.
Even in light of this requirement, it remains reasonable for an administrator to expect that using these pieces of software would not allow a trusted machine to execute arbitrary code. By extension, it remains reasonable for an administrator to rely on ASLR protections to thwart any potential buffer overflow attacks. Because of these reasonable assumptions, and because no explicit documentation warns users of this non-obvious feature and its non-obvious impact, this issue qualifies as a security weakness.
The maintainer of MemcacheDB claimed to fix the issue in the code repository, but unfortunately, has not released a stable package containing it (see section V below for details). In the meantime, the unofficial patch found in the following advisory can be applied to the source tree of MemcacheDB v1.2.0: http://www.positronsecurity.com/advisories/2009-001.html
Disclosure Timeline:
March 31st, 2009: Using the contents of the packaged AUTHORS file, Brad Fitzpatrick and Anatoly Vorobey were notified via e-mail.
April 7th, 2009: After receiving no reply from the official maintainers, a request to contact any acting maintainer(s) was made to the memcached mailing list at http://groups.google.com/group/memcached/browse_thread/thread/ff92b3d1a6191e4d. Dormando identified himself as a maintainer via e-mail, and was notified of the issue.
April 10th, 2009: Dormando released v1.2.8 to resolve the issue.
April 13th, 2009: Steve Chu, the maintainer of MemcacheDB, was notified of the issue. He replied that he would fix it.
April 14th, 2009: Steve Chu sent notification that the issue was fixed in the code repository and provided the following link: http://code.google.com/p/memcachedb/source/detail?r=98.
April 15th, 2009: Steve Chu was asked when a stable release would be available.
April 17th, 2009: Steve Chu was again asked when a stable release would be available.
April 18th, 2009: Steve Chu indicated that a stable release containing the fix would be available "a couple of days later."
April 24th, 2009: An update was requested from Steve Chu regarding the release date for the fixed stable version of MemcacheDB. As of April 28th, 2009, no reply was received.
