Critical Redis Server Flaws Allow Remote Code Execution and DoS Attacks

• Security researchers signaled two critical vulnerabilities that expose millions of Redis users to RCE and DoS.
• The first one leverages the possibility of Lua scripting capabilities misuse to manipulate the garbage collector.
• The second flaw could enable an attacker to use a malformed Access Control List selector for denial-of-service.

Two critical vulnerabilities affecting Redis, the widely used in-memory database, have been identified. These expose millions of systems to potential denial-of-service (DoS) attacks and remote code execution (RCE). 

The first vulnerability, CVE-2024-51741, affects Redis versions 7.0.0 and newer. An authenticated user with sufficient privileges can exploit this vulnerability by crafting a malformed Access Control List (ACL) selector. Upon access, the malformed selector triggers a server panic, resulting in a denial-of-service condition.

To address this issue, Redis has released fixes in versions 7.2.7 and 7.4.2. Redis users are strongly urged to upgrade to these patched versions to safeguard their systems against potential exploitation. Its discovery is credited to security researcher Axel Mierczuk.

The flaw that enables RCE on vulnerable Redis servers via Lua scripting is tracked as CVE-2024-46981. The issue stems from the misuse of Lua scripting capabilities embedded in Redis. An authenticated attacker can craft a malicious Lua script to manipulate the garbage collector, enabling remote code execution (RCE).

This vulnerability impacts all Redis versions that have Lua scripting enabled. Redis has issued patches for versions 6.2.x, 7.2.x, and 7.4.x to mitigate this risk.  

For users unable to update immediately, it is recommended to disable Lua scripting by restricting the EVAL and EVALSHA commands using ACL rules to reduce exposure.  

Security researcher p33zy, in collaboration with Trend Micro’s Zero Day Initiative, is credited with discovering and reporting CVE-2024-46981.

To protect against these vulnerabilities, upgrade Redis, restrict Lua scripting, and monitor access controls.

Recently, Sophos released an advisory that patched three critical flaws – SQL injection, weak credentials on SSH, and code injection in the user portal. In other news, two aggressive botnets target documented vulnerabilities in D-Link routers, aiming to gain full remote control of the devices.