CVE-2024-31228: Denial-of-Service Vulnerability in Redis Due to Unbounded Recursion

CVE-2024-31228 refers to a denial-of-service (DoS) vulnerability found in Redis, an open-source in-memory database that persists on disk. Authenticated users can exploit this vulnerability by using specially crafted, long string match patterns in conjunction with supported commands such as KEYS, SCAN, PSUBSCRIBE, FUNCTION LIST, COMMAND LIST, and Access Control List (ACL) definitions.

This issue occurs due to unbounded recursion, which results in stack overflow and, ultimately, process crash. The vulnerability has been addressed and fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are strongly advised to upgrade their Redis instances to mitigate this threat, as there are no known workarounds.

Details

An attacker with appropriate access to Redis can exploit this vulnerability by crafting a long string match pattern intended to trigger excessive recursion. The vulnerable Redis commands, when matched with an exceptionally long pattern, could result in a stack overflow and process crash, achieving a denial-of-service.

Here is a code snippet illustrating a potential exploit scenario involving the KEYS command

import redis

# Connect to Redis
r = redis.Redis(host='localhost', port=6379, db=)

# A long string pattern
pattern = "A" * 500

# Exploiting the vulnerability by using the KEYS command with the long pattern
result = r.keys(pattern)

Developers and maintainers of Redis have already resolved the issue in recent updates, so upgrading to versions 6.2.16, 7.2.6, or 7.4.1 is highly recommended.

Original References

For detailed information, please visit the following links to know more about the vulnerability and its fixes:

1. Official Redis Security Announcements: https://groups.google.com/g/redis-announcements
2. Redis 6.2.16 Release Notes: https://groups.google.com/g/redis-announcements/c/ZZQF2vSHFAE
3. Redis 7.2.6 Release Notes: https://groups.google.com/g/redis-announcements/c/CzIuMTKmHuo
4. Redis 7.4.1 Release Notes: https://groups.google.com/g/redis-announcements/c/sugztKHV9X

Attack Vector: Authenticated user with access to supported Redis commands

- Pre-conditions: Attacker can issue commands like KEYS, SCAN, PSUBSCRIBE, FUNCTION LIST, COMMAND LIST, and Access Control List (ACL) definitions within Redis with long, crafted string patterns

Conclusion

CVE-2024-31228 represents a denial-of-service vulnerability within Redis due to unbounded recursion. It affects specific commands when they're matched with long string patterns. The issue is resolved in versions 6.2.16, 7.2.6, and 7.4.1, and all users are advised to upgrade their Redis instances accordingly. No known workarounds exist, so updating to the fixed versions is crucial to mitigate potential threats.

Timeline

Published on: 10/07/2024 20:15:05 UTC
Last modified on: 10/10/2024 12:57:21 UTC