CVE-2023-22458: Redis Denial-of-Service Vulnerability Due to Assertion Failure Triggered by HRANDFIELD or ZRANDMEMBER Commands

In this post, we will discuss a recent security vulnerability, CVE-2023-22458, present in the Redis in-memory database. The vulnerability allows authenticated users to crash Redis instances by issuing HRANDFIELD or ZRANDMEMBER commands with specially crafted arguments, resulting in a denial-of-service due to an assertion failure.

Redis is an open-source, in-memory data structure store that serves as a database, cache, and message broker. It supports various data structures such as strings, hashes, lists, sets, and sorted sets with range queries.

Affected Versions and Impact

This vulnerability affects Redis versions 6.2 or newer up to, but not including, 6.2.9, as well as versions 7. up to, but not including, 7..8. There are no known workarounds for this issue. To fix the vulnerability, users must upgrade to Redis version 6.2.9 or 7..8, as appropriate.

The impact of this vulnerability is limited to denial-of-service (DoS), i.e., causing the Redis instance to crash and become unavailable, due to an assertion failure. Although the vulnerability does not allow for remote code execution or data tampering, it can still cause significant disruption to Redis-dependent services.

Exploit Details

The vulnerability is triggered when an authenticated user issues a HRANDFIELD or ZRANDMEMBER command with specially crafted arguments. The affected commands are used, respectively, to fetch random fields from a hash or random members from a sorted set.

For example, a malicious user may send the following command to the Redis server

HRANDFIELD <key> <count> <invalid_argument>

or

ZRANDMEMBER <key> <count> <invalid_argument>

where <key> is an existing hash or sorted set key, <count> is the number of random fields or members to fetch, and <invalid_argument> is an argument that exploits the vulnerability and triggers the assertion failure.

When Redis processes the command, the specially crafted arguments lead to an internal assertion failure, causing the Redis instance to crash.

Mitigation and Recommendation

The recommended course of action to address this vulnerability is to upgrade Redis to version 6.2.9 or 7..8, depending on the current version in use. It is important to note that there are no known workarounds for this issue, making the upgrade essential to ensure the stability and availability of Redis instances.

You can find the necessary update files for Redis on the official Redis downloads page

- Redis 6.2.9: https://download.redis.io/releases/redis-6.2.9.tar.gz
- Redis 7..8: https://download.redis.io/releases/redis-7..8.tar.gz

In addition to upgrading, it is essential to continuously monitor, audit, and restrict access to your Redis instances to minimize the risk of unauthorized users exploiting similar vulnerabilities in the future.

For more information on CVE-2023-22458, you can refer to the following original references

- https://github.com/redis/redis/security/advisories/GHSA-3wh5-mf79-rccf

- https://nvd.nist.gov/vuln/detail/CVE-2023-22458

Conclusion

Redis is a widely-used in-memory database that persists on disk, making any security vulnerability in its functionality critical. CVE-2023-22458 demonstrates the importance of securing access to Redis instances, regularly updating software, and being aware of potential vulnerabilities. By understanding this specific vulnerability and taking the necessary steps to address it, Redis administrators can ensure the continued security and stability of their infrastructure.

Timeline

Published on: 01/20/2023 19:15:00 UTC
Last modified on: 02/02/2023 14:23:00 UTC