Table of Contents
March 29, 2022
|6m
How To Fix CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability In Redis
In Jan 2022, Reginaldo Silva, a Redis maintainer, uncovered a vulnerability in Redis dobbed Lua Sandbox Escape vulnerability that allows remote attackerswith the ability to execute Lua scripts to escape the Lua sandbox and execute arbitrary code on the host. The flaw identified is being tracked under CVE-2022-0543 ID has the highest CVSS score of 10 according to the CVSSv3 scoring system. This vulnerability is a warning for people who run Radis on Debian, Ubuntu, and any Linux distributions run on the Debian platform. Additionally, Juniper found an attack targeting this vulnerability. Considering these factors, we urge people who run Radis on Debian build Linux platform must fix the CVE-2022-0543 vulnerability without further delay. Let’s see how to fix CVE-2022-0543, a Lua Sandbox Escape Vulnerability in Redis that offers attackers remote code execution ability.
What Is Redis?
Remote Dictionary Server, in short Redis, is a fast, open-source, in-memory, key-value data store used as a database, cache, streaming engine, and message broker by millions of developers. Its blazing fast response times (millions of requests per second) allows it to be used in real-time applications such as gaming, caching, session management,ad-tech, financial services, healthcare, real-time analytics, geospatial, ride-hailing, chat/messaging, media streaming, and IoT.
Where Does The Vulnerability Exist In Redis Data Store?
The issue exists in the Lua scripting engine in the Redis datastore. Redis’s scripting engine is developed by Lua programming language, which can be accessed through the eval command. As per the design, the Lua engine should be sandboxed so that Redis clients can only interact with the Redis APIs, and clients shouldn’t be able to execute arbitrary code on the Redis running machine.
This vulnerability is because the Lua library in some Debian/Ubuntu packages is provided as a dynamic library. When the Lua interpreter initializes, the “package” variable is automatically populated, and that in turn permits access to arbitrary Lua functionality. This lets remote attackers with the ability to execute Lua scripts escape the Lua sandbox and execute arbitrary code on the host.
Summary Of CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability In Redis
This is a Critical vulnerability scored 10 out of 10 in the CVSS score.
| Associated CVE ID | CVE-2022-0543 |
| Description | A Critical Lua Sandbox Escape Vulnerability in Redis that allows attackers to perform remote code execution on the host running Redis. |
| Associated ZDI ID | – |
| CVSS Score | 10.0 Critical |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Impact Score | 6.0 |
| Exploitability Score | 3.9 |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | None |
| User Interaction (UI) | None |
| Scope | Changed |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
Redis Versions Vulnerable To The CVE-2022-0543 Vulnerability:
Redis versions less than equal to redis/5:5.0.14-1+deb10u1, redis/5:5.0.3-4, redis/5:6.0.15-1 are said to be vulnerable to the flaw. Please check the versions of the Redis server running on your server and take action to fix the CVE-2022-0543 vulnerability if you see any of these versions. Since this vulnerability affects the Lua library in some Debian/Ubuntu packages, Debian-based Linux distributions like Ubuntu, Linux Mint, Raspberry Pi OS are all affected.
Please read the advisory from Debian and Ubuntu for more information. Note for Ubuntu: Ubuntu Bionic and Trusty are safe and not affected by this flaw.
Command to check the Redis server version:
$ sudo redis-server --versionHow To Test Your Server Is Vulnerable To The CVE-2022-0543 Vulnerability?
Reginaldo Silva presented proof of concept to show how this flaw be tested on the servers running the Redis server.
Run this command If you see the Redis server running on your Debian and Ubuntu servers with version less than or equal to redis/5:5.0.14-1+deb10u1, redis/5:5.0.3-4, redis/5:6.0.15-1.
> eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("cat /etc/passwd", "r"); local res = f:read("*a"); f:close(); return res' 0In this below picture author is able to achieve code execution by dumping the contents of /etc/passwd.
Attacks Detected Targeting Lua Sandbox Escape Vulnerability:
Juniper Threat Labs identified cyberattacks targeting this vulnerability. Their analytics says that the attacks have been started on 11 Mar 2022 from the same hands behind Log4j2. Threat actors have been using a variant of Muhstik bot to exploit this vulnerability. Technical analysis says that initially, the bot downloads russia.sh script from “106[.]246.224.219” and save it in “/tmp/russ” and runs it. Later russia.sh script downloads more malware programs from 160[.]16.58.163 and runs them for further exploit. Please read the more technical details from here.
Indicators of Compromise
4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197 pty1
46389c117c5f41b60e10f965b3674b3b77189b504b0aeb5c2da67adf55a7129f pty10
95d1fca8bea30d9629fdf05e6ba0fc6195eb0a86f99ea021b17cb8823db9d78b pty2
7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3 pty3
16b4093813e2923e9ee70b888f0d50f972ac607253b00f25e4be44993d263bd2 pty4
28443c0a9bfd8a12c12a2aad3cc97d2e8998a9d8825fcf3643d46012f18713f0 pty5
36a2ac597030f3f3425153f5933adc3ca62259c35f687fde5587b8f5466d7d54 russia.sh
Download IP
106[.]246.224.219
160[.]16.58.163
Attacker IP
104[.]236.150.159
170[.]210.45.163
146[.]185.136.187
178[.]62.69.4
191[.]232.38.25
79[.]172.212.132
221[.]120.103.253
How To Fix CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability In Redis?
The best possible way to fix the CVE-2022-0543 vulnerability is to upgrade to the fixed or latest available versions. This vulnerability is fixed in redis/5:6.0.16-1+deb11u2, redis/5:5.0.14-1+deb10u2, redis/5:6.0.16-2, redis/5:7.0~rc2-2 Redis server versions. Please upgrade your Redis to any of these versions. You will get Redis server v 5.0.7 as the default version when you install from its apt repositories, which is vulnerable. Please follow these steps to upgrade your Redis server from v5.x to stable 6.x.
How to fix CVE-2022-0543?
Upgrade the Redis server from 5.x to new stable 6.x.
Step 1. Check the version of the Redis server on Ubuntu
Run this command to check the Redis server version:
$ sudo redis-server –version
Step 2. Add apt source repositories
Run these commands to add the official apt source:
$ sudo curl -fsSL https://packages.redis.io/gpg | sudo gpg –dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg
$ sudo echo “deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb
$(lsb_release -cs) main” | sudo tee /etc/apt/sources.list.d/redis.list
Step 3. Update the apt repository and install the Redis server
Run these two commands to update the apt repository and install the Redis server:
$ sudo apt update
$ sudo apt install redis
Step 4. Validate the Redis server version
Check the Redis server version again to validate the successful upgradation:
$ sudo redis-server –version
We hope this post will help you know How to Fix CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability in Redis. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
You may also like these articles:
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
