CVE-2023-28856: Redis Vulnerability in HINCRBYFLOAT Command Leading to Server Crash

A new security vulnerability has been discovered in Redis, the popular open-source, in-memory database that persists on disk. The vulnerability, tracked as CVE-2023-28856, allows authenticated users to create an invalid hash field using the HINCRBYFLOAT command, causing Redis to crash upon access. This issue is present in Redis versions 7..11, 6.2.12, and 6..19.

This article provides an overview of the vulnerability and its implications, along with guidance on remediating the issue by updating Redis to the latest version.

Exploit Details

The HINCRBYFLOAT command is designed to increment the float value of a hash field within Redis. It has the format HINCRBYFLOAT key field increment, where key represents the affected Redis key, field represents the target hash field, and increment is the amount to be incremented.

The underlying bug in the HINCRBYFLOAT implementation fails to validate the hash field's value, allowing authenticated users to create an invalid hash field that would cause Redis to crash when it is accessed. Attackers can exploit this vulnerability to launch a denial-of-service (DoS) attack against the affected Redis servers.

Here is a sample code snippet that demonstrates the usage of the vulnerable HINCRBYFLOAT command

import redis

r = redis.StrictRedis(host='localhost', port=6379, db=)
r.hset("test_key", "field1", 1.)
r.hincrbyfloat("test_key", "field1", 2.)

# This will crash Redis server due to CVE-2023-28856 vulnerability
r.hincrbyfloat("test_key", "field1", "invalid_value")

Remediation Steps

The vulnerability has been addressed in Redis versions 7..11, 6.2.12, and 6..19. As there are no known workarounds for this issue, it is highly recommended that users upgrade their Redis instances to these versions or newer to protect against the vulnerability.

To upgrade Redis, follow these steps

1. Download the latest version of Redis from the official website here.

Extract the downloaded tarball and compile Redis using the following commands

tar xzf redis-VERSION.tar.gz
cd redis-VERSION
make

Install the compiled binaries

sudo make install

4. Update the Redis configuration file, usually found in /etc/redis/redis.conf, to use the new binaries.

Conclusion

CVE-2023-28856 is a critical vulnerability in Redis that affects the HINCRBYFLOAT command, allowing authenticated users to crash the server. To address this issue, users should upgrade Redis to version 7..11, 6.2.12, or 6..19 and deploy the latest security patches.

For more information on the vulnerability and the original references, visit the Redis GitHub Repository and the official Redis release notes.

Timeline

Published on: 04/18/2023 21:15:00 UTC
Last modified on: 06/01/2023 14:15:00 UTC