OpenTelemetry eBPF Instrumentation (OBI) Memcached Integer Overflow DoS

A denial-of-service vulnerability exists in the memcached text protocol parser within OpenTelemetry eBPF Instrumentation (OBI). The vulnerability resides in the pkg/ebpf/common/memcached_detect_transform.go file, where the parser lacks proper bounds checking when handling the <bytes> field of memcached storage commands (set, add, replace, append, prepend, cas). By sending a crafted memcached request with an extremely large <bytes> value (e.g., math.MaxInt or math.MaxInt-1), an attacker can cause an integer overflow during payload length calculation. This overflow results in a negative payload length being passed to LargeBufferReader.Peek in pkg/internal/largebuf/large_buffer.go, triggering a runtime panic and crashing the OBI process. This vulnerability affects OBI versions 0.7.0 to 0.8.x, allowing a remote attacker to disrupt telemetry collection.

Attack Chain

1. Attacker identifies an OBI instance instrumenting memcached traffic.
2. Attacker crafts a memcached storage command (e.g., set) with a large <bytes> field (close to math.MaxInt).
3. Attacker sends the crafted memcached storage command to a service instrumented by the vulnerable OBI instance on port 11211.
4. OBI’s memcached request parser (memcachedCommandBytesField in pkg/ebpf/common/memcached_detect_transform.go) receives the crafted command and parses the <bytes> field using strconv.Atoi.
5. OBI calculates the payload length by adding the <bytes> value to the length of the trailing \r\n delimiter.
6. Due to the large <bytes> value, the addition overflows, resulting in a negative payloadLen.
7. The negative payloadLen is passed to LargeBufferReader.Peek in pkg/internal/largebuf/large_buffer.go.
8. LargeBufferReader.Peek attempts to slice a buffer with the negative length, causing a Go runtime panic and crashing the OBI process.

Impact

Successful exploitation of this vulnerability results in a denial of service (DoS) against the OBI process. This leads to a loss of telemetry data collection for any services being monitored by the affected OBI instance. The attacker only needs to send a crafted memcached storage command to a service that OBI is instrumenting. This vulnerability impacts OBI deployments where the memcached parser is active and the instrumented services are reachable or influenceable by an attacker.

Recommendation

• Deploy the Sigma rule Detect OpenTelemetry OBI Memcached Integer Overflow Attempt to detect crafted memcached storage commands with extremely large <bytes> values in network traffic.
• Monitor OBI process logs and container status for crashes originating from LargeBufferReader.Peek, as indicated in the overview, to identify potential exploitation attempts.
• Consider filtering or sanitizing memcached storage command inputs to prevent excessively large <bytes> values from reaching instrumented services.