CVE-2022-36021 - Exploiting Redis String Matching Commands to Trigger a Denial-of-Service (DoS) Attack

In this long-read post, we will discuss an important vulnerability in Redis, which when exploited, could potentially put your entire Redis infrastructure at risk. The Common Vulnerabilities and Exposures (CVE) reference number for this vulnerability is CVE-2022-36021.

Redis, a widely used in-memory database that also persists on disk, allows authenticated users to use string matching commands, such as SCAN or KEYS, to search keys matching a specific pattern. Unfortunately, a specially crafted pattern could be used to trigger a Denial-of-Service (DoS) attack on Redis, causing the database to hang and consume 100% CPU time.

In this post, we will dive deeper into how this vulnerability works, how it can be exploited, and how you can protect your Redis deployments using patches provided in the newly released versions 6..18, 6.2.11, and 7..9.

Redis String Matching Commands

Developer operations on Redis often require searching for keys having a specific pattern. To facilitate this, Redis provides string matching commands like SCAN and KEYS.

Example

// Find all keys starting with "user:"
redis-cli KEYS "user:*"

These commands offer a powerful way to sort and filter your database keys. However, it is crucial to understand that they should be used with caution to prevent unintentional consequences.

Vulnerability Explanation - CVE-2022-36021

The vulnerability affects how Redis handles string matching commands like SCAN and KEYS. Attackers who are authenticated can potentially exploit this vulnerability by sending a specially crafted pattern.

When Redis processes the malicious pattern, it enters a state where it hangs and consumes 100% of the available CPU time, leading to a DoS attack. This will significantly impact your Redis application's performance and render it unusable until the issue is resolved.

The following code snippet demonstrates the structure of an exploitable pattern

// Example of a malicious pattern:
redis-cli KEYS "{*}"

Important Note

It is crucial to understand that posting the actual malicious pattern may enable others to exploit this vulnerability. Therefore, we have chosen not to include the actual pattern in this post.

Exploit Details

For an attacker to exploit this vulnerability, they must have authentication access to the Redis database. They can then execute the SCAN or KEYS command using the specially crafted pattern.

As a result, the Redis process will freeze and consume 100% CPU time, leading to a DoS attack. This will significantly impact the performance of your Redis applications and render them unusable until the issue is resolved.

Mitigation and Solution

To protect your Redis deployments from this vulnerability, it is highly recommended to upgrade your Redis version to one of the recently released versions that include a fix for CVE-2022-36021. These versions are:

Redis 7..9

You can download the fixed versions of Redis from the official Redis website: https://redis.io/download

Upgrade your Redis instances by following the official upgrade guide: https://redis.io/topics/upgrade

Conclusion

CVE-2022-36021 exposes a critical vulnerability in Redis that authenticated users can exploit to trigger a DoS attack. It is essential to apply the necessary patches by upgrading to Redis versions 6..18, 6.2.11, or 7..9 to secure your Redis deployments.

For further information on this vulnerability, please refer to the following resources

- Original Redis Vulnerability Report: https://github.com/redis/redis/security/advisories/GHSA-jxrj-hppf-558w
- NVD Vulnerability Entry: https://nvd.nist.gov/vuln/detail/CVE-2022-36021

Stay vigilant, and remember to continuously monitor the security updates and advisories of the software you rely on, to ensure that your applications and infrastructure remain secure.

Timeline

Published on: 03/01/2023 16:15:00 UTC
Last modified on: 03/09/2023 01:07:00 UTC