Redis is an open-source, in-memory database that persists on disk, commonly used in a variety of modern applications for caching, message queues, and configuration storage. It offers high-performance data access and flexibility through its support for various data structures and extensive scripting capabilities, such as Redis Lua scripting.

However, a recent vulnerability identified in all versions of Redis with Lua scripting has exposed Redis servers to potential security risks. This article unfolds the details of this critical vulnerability, with the identifier CVE-2024-31449, and guides users on how to fix it.

Vulnerability Details

CVE-2024-31449 affects the Lua scripting features of Redis. The vulnerability is caused by a stack buffer overflow in the bit library, allowing an authenticated user to submit a maliciously crafted Lua script that could lead to remote code execution.

The issue arises from insufficient boundary checks while dealing with specially crafted input for Lua bitwise operations in the bit library, resulting in a stack buffer overflow that could corrupt memory and potentially lead to remote code execution.

Here is an example of a Lua script snippet that could trigger the vulnerability

local bit = require("bit")
local input = "A" .. string.rep("\x00", 32)
local result = bit.band(input, input)

This Lua script utilizes Redis' bit library to perform a bitwise AND operation on a maliciously crafted input string. The string is 32 bytes longer than what the library safely handles, triggering the stack buffer overflow.

The following links provide more information about CVE-2024-31449 and its impact on various Redis versions:

1. The official Redis security advisory: https://github.com/redis/redis/blob/unstable/00-RELEASENOTES
2. CVE-2024-31449 in the National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-31449
3. The original reporter's detailed disclosure: https://hackerone.com/reports/31449

Affected Versions and Fix

This vulnerability affects all Redis versions that utilize Lua scripting. Fortunately, the Redis development team has already issued a fix for this issue in the following Redis versions:

7.4.1

It is strongly recommended for Redis users to upgrade to one of these fixed versions to protect their servers against potential exploitation of this vulnerability. No known workarounds exist for this issue, making an upgrade to a secured version the only confirmed solution.

Conclusion

CVE-2024-31449 is a critical vulnerability in Redis that impacts the Lua scripting environment. By exploiting this vulnerability, an authenticated attacker can trigger a stack buffer overflow, potentially leading to remote code execution. To mitigate this risk, it is essential to upgrade Redis to one of the fixed versions mentioned above. Regularly updating software and adhering to best security practices can help protect against potential security threats and ensure a secure environment for your applications.

Timeline

Published on: 10/07/2024 20:15:05 UTC
Last modified on: 10/10/2024 12:57:21 UTC