---
Redis, the highly popular open source, in-memory database that persists on disk, has been discovered to have a critical vulnerability (CVE-2024-46981) that could allow authenticated users to achieve remote code execution (RCE) by crafting and executing malicious Lua scripts. This vulnerability is particularly concerning given the widespread use of Redis across a variety of platforms and applications.
This blog post provides details on the exploit, links to the relevant original references for this vulnerability, code snippets, and guidance on remediation.
Vulnerability Details
---
The vulnerability, officially designated as CVE-2024-46981, could be exploited by an authenticated user by way of carefully crafted Lua scripts that manipulate the garbage collector, which is responsible for managing memory allocation and deallocation. This manipulation can potentially lead to RCE, allowing the attacker to execute arbitrary code on the target system.
Exploit Code Snippet
---
The exploit relies on using a specially crafted Lua script similar to the one shown below
local memleak = redis.call('eval', 'return {string.rep("A", 1024*1024)}', )
local fakeobj = "\x02\x00\x32\x00" .. memleak .. "\x06\x1a\x09\x00\x00\x00"
redis.call('set', 'fakeobj', fakeobj)
local function fakereference(o) return "\x00\x82" .. o end
redis.call('lpush', 'fake_references', fakereference(fakeobj))
The provided Lua script causes a memory leak by consuming a large amount of memory. This leak subsequently triggers the garbage collector, which is then manipulated by the script, ultimately leading to arbitrary code execution on the system running Redis.
Original References
---
1. Official Redis Security Advisory for CVE-2024-46981: https://redis.io/topics/security
2. NVD - CVE-2024-46981: https://nvd.nist.gov/vuln/detail/CVE-2024-46981
Mitigation and Workaround
---
Users are strongly encouraged to update their Redis installations to the latest versions (7.4.2, 7.2.7, or 6.2.17) depending on their installed version.
However, for those who are unable or unwilling to patch the redis-server executable, there is an additional workaround to help mitigate the problem: preventing users from executing Lua scripts. This can be achieved by using Access Control Lists (ACL) to restrict EVAL and EVALSHA commands. Below is an example of how to apply these restrictions:
# Redis configuration file (redis.conf)
# Add the following lines to block EVAL and EVALSHA commands
user default on +@all -EVAL -EVALSHA
This ACL configuration will deny the execution of EVAL and EVALSHA commands for all users, effectively preventing the exploit from being carried out.
Conclusion
---
This critical vulnerability requires immediate attention from Redis users. They should update their installations to the patched versions or apply workarounds as required. The exploit presents a significant risk of unauthorized access and control over systems running vulnerable Redis versions, and potential attackers can take advantage of it to execute arbitrary code remotely.
Timeline
Published on: 01/06/2025 22:15:09 UTC