CVE-2023-41053 - Unauthorized Key Access in Redis due to Improper SORT_RO Command Handling

This post will discuss a significant vulnerability found in Redis, an open-source in-memory data structure store used as a database, cache, and message broker. The vulnerability is related to Redis's Access Control Lists (ACL) management, providing unauthorized access to keys when using the SORT_RO (read-only) command. This vulnerability has been assigned the identifier, CVE-2023-41053.

Vulnerable versions

The vulnerability affects Redis 7. or newer versions. Fixed versions include Redis 7..13 and 7.2.1. Users are advised to upgrade to the latest stable version.

Exploit details

Redis uses ACLs (Access Control Lists) to limit access to keys and commands. The ACL mechanism, however, fails to correctly identify the accessed keys when processing the SORT_RO command. Consequently, unauthorized users could execute this command to access keys not explicitly granted by the ACL configuration.

Code snippet

# Example of SORT_RO command usage:

# Redis server with the following ACLs:
# user LimitedUser on >mypassword< +get +sort_ro -@connection
conn = redis.StrictRedis(host='localhost', port=6379, db=, password="mypassword")
conn.sort("some_unauthorized_key", read_only=True)

In this example, the ACL configuration should only allow "LimitedUser" to perform GET and read-only SORT commands. This user, however, can access other keys not explicitly authorized, using the SORT_RO command.

Mitigation

Upgrade Redis server installations to the fixed versions: Redis 7..13 or Redis 7.2.1 to mitigate this vulnerability.

There are no known workarounds for this vulnerability at this time.

Original references

1. Redis Security Advisory: CVE-2023-41053
2. Redis Release Notes: Redis 7..13, Redis 7.2.1

Conclusion

This post discussed the vulnerability CVE-2023-41053, affecting Redis's ACL management, which could allow unauthorized access to keys using the SORT_RO command. It is essential for users to mitigate this vulnerability by upgrading their Redis installations to the fixed versions. Stay safe and keep your servers up to date!

Timeline

Published on: 09/06/2023 21:15:00 UTC
Last modified on: 09/12/2023 12:00:00 UTC