www.belgium.be Logo of the federal government

WARNING: A DENIAL OF SERVICE AND A REMOTE CODE EXECUTION FOUND IN REDIS, PATCH IMMEDIATELY!

Referentie: 
Advisory #2025-04
Versie: 
1.0
Geïmpacteerde software: 
Redis server
Type: 
Remote code execution, Denial of service
CVE/CVSS: 

CVE-2024-51741: CVSS 4.4 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVE-2024-46981: CVSS 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Bronnen

Redis advisory (CVE-2024-51741): https://github.com/redis/redis/security/advisories/GHSA-prpq-rh5h-46g9

Redis advisory (CVE-2024-46981): https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c

Risico’s

On 6 January 2025, Redis addressed two vulnerabilities in Redis Server:

  • An authenticated user with sufficient privileges could exploit CVE-2024-51741 to cause a denial of service.
  • An authenticated user may use a specially crafted Lua script, potentially leading to remote code execution.

Redis is a popular in-memory data store used primarily as an application cache, quick-response database or message broker. Redis servers have been compromised in the past to integrate the server as part of a botnet and exfiltrate data.

There is no information as to active exploitation at this time (cut-off date: 7 January 2025).

Exploitation of these vulnerabilities can have a high impact on availability, and varying levels of impact on confidentiality and integrity.

Beschrijving

CVE-2024-51741 is a moderate vulnerability affecting Redis servers with version 7.0.0 and newer. An authenticated user with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service.

CVE-2024-46981 is a high vulnerability affecting all versions of Redis with Lua scripting. With this vulnerability, an authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution.

Aanbevolen acties

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Redis recommends customers patch with the following versions:

  • CVE-2024-51741: the issue is fixed in Redis 7.2. and 7.4.2
  • CVE-2024-46981: the issue in fixed in 6.2.x, 7.2.x and 7.4.x

A workaround exists for CVE-2024-46981 to mitigate the problem without patching the redis-server executable. This workaround consists in preventing users from executing Lua scripts.  This can be done using ACL to restrict EVAL and EVALSHA commands.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://notif.safeonweb.be/.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Referenties

Redis advisory (CVE-2024-51741): https://github.com/redis/redis/security/advisories/GHSA-prpq-rh5h-46g9

Redis advisory (CVE-2024-46981): https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4