Two critical vulnerabilities have been identified in Redis, the widely used in-memory database, potentially exposing millions of systems to denial-of-service (DoS) attacks and remote code execution (RCE).
These flaws tracked as CVE-2024-51741 and CVE-2024-46981, highlight significant security risks for Redis users and underscore the importance of timely updates and mitigations.
CVE-2024-51741: Denial Of Service via Malformed ACL Selectors
The first vulnerability, CVE-2024-51741, affects Redis versions 7.0.0 and newer. An authenticated user with sufficient privileges can create a malformed Access Control List (ACL) selector.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
When accessed, this malformed selector triggers a server panic, leading to a denial-of-service condition. This issue has been resolved in Redis versions 7.2.7 and 7.4.2.
Redis users are urged to upgrade to these patched versions immediately to safeguard their systems from potential exploitation. The vulnerability was reported by Axel Mierczuk, who contributed to identifying the flaw.
CVE-2024-46981: Remote Code Execution via Lua Scripting
The second vulnerability, CVE-2024-46981, poses an even greater threat as it could allow remote code execution. This issue stems from the misuse of Lua scripting capabilities in Redis.
An authenticated attacker can craft a malicious Lua script to manipulate the garbage collector, potentially executing arbitrary code on the server.
This vulnerability affects all Redis versions with Lua scripting enabled. Patches have been released for Redis 6.2.x, 7.2.x, and 7.4.x to address this issue.
As an additional precaution for users unable to update immediately, it is recommended to disable Lua scripting by restricting the `EVAL` and `EVALSHA` commands using ACL rules.
The discovery of CVE-2024-46981 is credited to security researcher p33zy in collaboration with Trend Micro’s Zero Day Initiative.
To protect against these vulnerabilities:
1. Upgrade Redis: Users should update their installations to the patched versions—7.2.7 or 7.4.2 for CVE-2024-51741 and the latest releases for CVE-2024-46981.
2. Restrict Lua Scripting: As a temporary workaround for CVE-2024-46981, disable Lua scripting by modifying ACL rules to block `EVAL` and `EVALSHA` commands.
3. Monitor Access Controls: Ensure that only trusted users have access to execute privileged commands on Redis servers.
These vulnerabilities highlight the critical need for robust security practices in managing database systems. Redis users are strongly advised to act promptly to mitigate risks and secure their environments against potential exploitation.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!