Redis has earned a reputation as a fast, reliable open-source key-value store, forming the backbone of many high-performance systems worldwide. So, when a vulnerability surfaces with the words "critical," "remote," and "public exploit" attached, it’s bound to catch attention. CVE-2022-3734 is one such case — but this one is unusual, stirring controversy and confusion in the community. In this deep dive, we’ll break down the facts, the controversy, the possible (but disputed) exploit, and what Redis users, especially on Windows, need to know.
What is CVE-2022-3734?
Summary:
CVE-2022-3734 refers to a possible critical security flaw discovered in a non-official Redis port or fork running on Windows systems. The flaw involves the Redis library at C:/Program Files/Redis/dbghelp.dll, leading to an *uncontrolled search path* — meaning, under certain conditions, Redis could be tricked into loading a malicious DLL from an unintended location, potentially allowing remote code execution.
Key Takeaways:
- Official Redis is NOT Affected: The mainstream, supported Redis releases do not include Windows-specific builds anymore, and this DLL doesn’t exist in official distributions.
- Only Affects Unofficial Windows Ports/Forks: The issue seems to be reported only in certain Redis versions or forks meant for Windows.
- Disputed Existence: There is significant debate regarding whether this vulnerability exists in practice, or is just a theoretical risk.
- Remote Exploit Possible: If real and unpatched, exploitation could potentially be initiated remotely.
- Public Disclosure: Some details have already surfaced publicly — adding urgency for users of Windows Redis ports to double-check their installations.
- Vulnerability ID: VDB-212416
The Vulnerability: Uncontrolled Search Path Element
The issue revolves around *search path hijacking*: when a program loads a DLL (Dynamic-Link Library) without specifying its full path, Windows searches a default list of locations. An attacker may exploit this by dropping a fake DLL earlier in that list, getting their code executed. In this case, the DLL in question is dbghelp.dll.
How it could work
1. Attacker gains access (remote or local) to place a malicious DLL in a location Redis will search before the official one.
2. Redis is launched, and, instead of using the intended dbghelp.dll, it loads the attacker’s DLL.
Simplified Exploit Code Example
Let’s illustrate a theoretical attack in Python. Imagine a scenario where you can upload files to the Redis server's working directory:
# fake_dbghelp.py
import ctypes
# Load your malicious DLL (compiled as 'dbghelp.dll')
ctypes.windll.LoadLibrary("dbghelp.dll") # This would execute on the Redis server
# Now, when Redis tries to load dbghelp.dll, your code gets executed.
Or, from the attacker’s side, compiling a malicious DLL (e.g., dbghelp.dll)
// malicious_dbghelp.c - compile as dbghelp.dll
#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) {
if(fdwReason == DLL_PROCESS_ATTACH) {
// Malicious action, e.g., open a reverse shell, write to a file, etc.
MessageBoxA(, "Exploit Loaded!", "CVE-2022-3734", MB_OK);
}
return TRUE;
}
*Place this DLL in the working directory of the Redis process on Windows; if the path isn't controlled, it might get loaded instead of the real one.*
This CVE is flagged DISPUTED for several reasons
- Official Redis No Longer Supports Windows: The Redis project dropped direct Windows support years ago (announcement). The mainstream builds don’t contain dbghelp.dll or make unsafe DLL loads.
No Clear Proof: There is no public, fully proven exploit chain on an official Redis fork.
- Confusion Over Reporting Source: The vulnerability might come from misconfigured or unofficial builds by third parties, not from the original Redis maintainers or their codebase.
- No Statement from Redis Core Team: So far, there has been no official acknowledgment or fix issued by the main Redis team.
Who is at Risk?
- NOT users of official Redis releases.
- Potentially at risk: Windows users running Redis from an unofficial fork, a community build, or a third-party distribution that packages dbghelp.dll insecurely.
Switch to an officially supported environment.
## Further Reading / References
- VDB-212416: https://vuldb.com/?id.212416
- CVE Mitre Database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3734
Redis Windows Legacy Info:
https://github.com/microsoftarchive/redis
Why Redis Dropped Windows Support:
https://github.com/redis/redis/pull/8841
TL;DR
CVE-2022-3734 is a reported but DISPUTED critical bug in non-official Windows Redis builds involving dbghelp.dll and an uncontrolled search path. It can potentially allow a remote attacker to run code by introducing a malicious DLL. But don’t panic — if you use the official Linux Redis (as recommended), you’re safe. Windows Redis users should check their environment and consider moving away from unsupported, third-party builds.
Stay safe, and always double-check the source of your server software!
If you have any more questions, drop them in the comments, or check the official Redis forums and GitHub page for updates.
Timeline
Published on: 10/28/2022 08:15:00 UTC
Last modified on: 11/29/2022 10:15:00 UTC