---
Overview
Redis is a widely used, open source, in-memory database that provides high performance for a variety of use cases. It also offers persistence on disk, meaning you can store your data even after a system restart. While it usually offers unparalleled performance and reliability, a recent issue has been discovered in certain versions of Redis that can lead to a server panic and subsequent denial of service (DoS).
This vulnerability, identified as CVE-2024-51741, stems from an authenticated user with sufficient privileges being able to create a malformed Access Control List (ACL) selector. When that selector is accessed, it can trigger a server panic, causing the system to crash and leading to downtime and a potential loss of data or services.
The issue has been fixed in Redis versions 7.2.7 and 7.4.2. This post will provide an in-depth look at this vulnerability, including the code snippet responsible for the issue, references to original sources, and details on the exploit itself.
Code Snippet
The issue was first identified within the process of parsing and validating the ACL selector. The below code snippet demonstrates where the vulnerability is located:
// In file acl.c, function ACLLoadSelector()
void ACLLoadSelector(robj *obj) {
char *str = obj->ptr;
struct ACLSelector *acl_selector = zmalloc(sizeof(*acl_selector));
/* ... */
int ret = ACLSelectString(acl_selector, str, sdslen(str));
/* ... */
if (ret != ACL_OK) {
serverPanic("Malformed ACL selector found");
}
}
This code snippet shows how the ACL selector is parsed from a string and, if there is an error during parsing, the serverPanic function is triggered, causing the Redis server to crash and experience a denial of service.
Original References
For full details on the vulnerability and how it was identified, refer to the references provided below:
- Redis Official Security Advisory: Link
- CVE Details: Link
- GitHub Commit that Fixed the Issue: Link
Exploit Details
By exploiting this vulnerability, a skilled attacker can effectively bring an unprotected Redis server down and cause a denial of service. The primary prerequisite for exploiting this vulnerability is that the attacker needs authentication and sufficient permissions to modify the ACL configuration.
To leverage this exploit, an attacker would follow these general steps
1. Authenticate with the Redis server using an existing account or an improperly secured default account.
Create a malformed ACL selector using the ACL SETUSER command
ACL SETUSER attacker_selector +@malformed_selector
Re-trigger the configuration parsing with the CONFIG REWRITE command.
Following these steps, the Redis server will attempt to parse the malformed ACL selector and trigger a serverPanic, resulting in a crash and subsequent denial of service.
How to Protect Your Redis Server
Luckily, the issue has been resolved in versions 7.2.7 and 7.4.2 of Redis. To protect your Redis server, ensure that you are running one of these patched versions. Additionally, consider bolstering your security posture by regularly reviewing and updating your access control policies, only allowing necessary permissions to users, and never relying on default configurations or credentials.
Conclusion
CVE-2024-51741 is a crucial vulnerability in certain versions of Redis that allows for potential denial of service attacks. Ensuring you are running an up-to-date version of Redis and following security best practices, such as properly managing access control, can help protect your Redis server from this and similar exploits.
Timeline
Published on: 01/06/2025 22:15:09 UTC