CVE-2024-3019: Flaw Detected in PCP Exposing Redis Server Backend to Local Network

A recently discovered flaw (CVE-2024-3019) in the Performance Co-Pilot (PCP) monitoring software exposes the Redis server backend to the local network. This flaw could allow remote command execution with the privileges of the Redis user when the pmproxy service is running. By default, pmproxy does not run, and must be started manually from the 'Metrics settings' page of the Cockpit web interface. This issue affects PCP versions 4.3.4 and newer.

Exploit Details

This particular vulnerability occurs due to a misconfiguration in pmproxy's default settings. When pmproxy is running, the Redis server backend becomes exposed, allowing remote attackers to access and execute commands with Redis user privileges.

Let's take a closer look at the code where the flaw originates

# server configuration
port 44323
tcp-backlog 511
timeout 
tcp-keepalive 300
daemonize no
supervised no
syslog-enabled yes
maxmemory 
maxmemory-policy volatile-lru
appendfsync everysec

As seen in the code snippet above, the configuration has no restrictions for access, which leads to the Redis server backend vulnerability.

To secure your Redis server and prevent exploitation, update the configuration to only allow connections from trusted sources by adding the "bind" directive and specifying the trusted IP addresses.

bind 127...1 <trusted_ip_address_1> <trusted_ip_address_2>

For more information on this vulnerability, refer to the following sources

1. The official CVE record: CVE-2024-3019
2. The PCP project GitHub repository: github.com/performancecopilot/pcp
3. The National Vulnerability Database entry: NVD - CVE-2024-3019
4. The Cockpit project website: cockpit-project.org

To protect your system from this vulnerability, follow these steps

1. Update your PCP installation to the latest version if using 4.3.4 or higher: PCP Releases
2. Modify the default configuration of the pmproxy service to restrict access to the Redis server backend by adding the "bind" directive as mentioned above.
3. Ensure that the pmproxy service is not running by default, unless necessary for your specific monitoring use case.

Regularly check for updates and patches to keep your system secure.

In conclusion, being aware of the vulnerabilities in the software you are using and taking the necessary precautions are essential for maintaining a secure environment. By updating your PCP installation, modifying the configuration, and being cautious with running the pmproxy service, you can protect your system from potential exploits related to CVE-2024-3019.

Timeline

Published on: 03/28/2024 19:15:49 UTC
Last modified on: 04/30/2024 20:15:08 UTC