Denial of service in Dormando Memcached

Published: 2017-05-22 | Updated: 2018-03-16

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2018-1000127
CWE-ID	CWE-190
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	memcached Server applications / Web servers
Vendor	Memcached

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Integer overflow

EUVDB-ID: #VU11124

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2018-1000127

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the items.c:item_free() function due to improper bounds checks. A remote attacker can trigger integer overflow and cause the service to crash.

Mitigation

Update to version 1.4.37 or later.

Vulnerable software versions

memcached: 1.4 - 1.4.36

CPE2.3

cpe:2.3:a:memcached:memcached:1.4.25:*:*:*:*:*:*:*

External links

http://github.com/memcached/memcached/commit/a8c4a82787b8b6c256d61bd5c42fb7f92d1bae00

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?