Redis Vulnerability Impacts Linux Servers
Rapid7 security researchers have uncovered a serious Redis vulnerability (with a CVSS score of 10) that is affecting over 2,000 internet-facing servers. NIST describes the CVE as:
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
Both Debian and Ubuntu patched the bug back in February 2022 but on March 8 Reginaldo Silva (the researcher credited with discovering the vulnerability) released proof-of-concept code that targets the flaw. Days later, exploitation of the vulnerability started showing up and the US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its catalog of known exploits.
The root cause is one of oversight. Redis statically links Lua, but both the Ubuntu and Debian Redis packages dynamically link Lua. Vulnerable packages disable the use of the Lua require and module interfaces to prevent sandbox escape but fail to disable the Lua package interface. To circumvent this, both Ubuntu and Debian packages set package to nil which enables the Lua package interface to load arbitrary shared libraries.
Rapid7 announced that attackers would continue to exploit the vulnerability as long as there were unpatched servers to exploit. If your company makes use of Redis it is imperative that you patch the vulnerability as soon as possible.