WARNING: NEW VULNERABILITY IN REDIS, PATCH IMMEDIATELY!
CVE-2023-41056
CVSS 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Risques
This new vulnerability (CVE-2023-41056) in Redis can in some cases, with a certain sequence of payloads lead to Remote Code Execution (RCE). The impact on the Confidentiality, Integrity and Availability is High. The attack complexity is high but there are no privileges or user interaction required to exploit the vulnerability.
Description
As explained in the Redis advisory: “In some cases, Redis may incorrectly handle resizing of memory buffers which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution.”
The problem exists in Redis 7.0.9 (released on 2023-02-28) or newer and is fixed in Redis 7.0.15 and 7.2.4.
Actions recommandées
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.