Redis, Connection Timeout Vulnerability, CVE-2023-XXXX (Critical)

By /

How the Mentioned CVE Works:

The vulnerability arises when the `CLIENT SETINFO` command times out during the establishment of a connection in Redis. This timeout can occur under specific conditions:
1. The client is configured to transmit its identity, which can be disabled using the `DisableIndentity` flag.

2. Network connectivity issues disrupt the connection.

  1. Aggressive timeout settings are configured on the client.

The impact varies based on the use case:

  • Sticky Connections: Persistent out-of-order responses occur for the lifetime of the connection.
  • Pipelines: All commands in the pipeline receive incorrect responses.
  • Default Connection Pool Usage: When a connection is returned to the pool, the read buffer is checked, and the connection is marked as bad due to unread data, resulting in at most one out-of-order response before the connection is discarded.
    A patch has been prepared in redis/go-redis3295, and workarounds include setting the `DisableIndentity` flag to `true` during client instance construction.

DailyCVE Form:

Platform: Redis
Version: go-redis (pre-patch versions)
Vulnerability: Connection Timeout
Severity: Critical
Date: 2023-XX-XX

What Undercode Say:

Exploitation:

1. Exploit Code:

client := redis.NewClient(&redis.Options{
Addr: "localhost:6379",
Password: "", // no password set
DB: 0, // use default DB
})
// Simulate timeout by setting aggressive timeouts
client.Options().ReadTimeout = 1 time.Nanosecond
client.Options().WriteTimeout = 1 time.Nanosecond

This configuration can trigger the vulnerability by forcing a timeout during CLIENT SETINFO.

2. Exploit Impact:

  • Out-of-order responses in pipelines.
  • Persistent connection issues in sticky connections.

Protection:

1. Patch Application:

Update to the latest patched version of `go-redis` once released.

2. Workaround Implementation:

client := redis.NewClient(&redis.Options{
Addr: "localhost:6379",
DisableIndentity: true, // Mitigates the vulnerability
})

3. Monitoring Commands:

  • Use Redis CLI to monitor connection health: 
    redis-cli --latency -h <host> -p <port>
  • Check for unread data in connections: 
    redis-cli --scan --pattern "unread:"

4. Network Configuration:

  • Ensure stable network connectivity to prevent timeouts.
  • Avoid aggressive timeout settings in client configurations.

5. Logging and Alerts:

Implement logging for connection timeouts and monitor for anomalies:

client := redis.NewClient(&redis.Options{
Addr: "localhost:6379",
OnConnect: func(ctx context.Context, cn redis.Conn) error {
log.Println("New connection established")
return nil
},
})

By applying these measures, the vulnerability can be effectively mitigated.

References:

Reported By: https://github.com/advisories/GHSA-92cp-5422-2mw7
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top