In Jan 2022, Reginaldo Silva, a Redis maintainer, uncovered a vulnerability in Redis dobbed Lua Sandbox Escape vulnerability that allows remote attackerswith the ability to execute Lua scripts to escape the Lua sandbox and execute arbitrary code on the host. The flaw identified is being tracked under CVE-2022-0543 ID has the highest CVSS score of 10 according to the CVSSv3 scoring system. This vulnerability is a warning for people who run Radis on Debian, Ubuntu, and any Linux distributions run on the Debian platform. Additionally, Juniper found an attack targeting this vulnerability. Considering these factors, we urge people who run Radis on Debian build Linux platform must fix the CVE-2022-0543 vulnerability without further delay. Let’s see how to fix CVE-2022-0543, a Lua Sandbox Escape Vulnerability in Redis that offers attackers remote code execution ability.
Table of Contents
What Is Redis?
Remote Dictionary Server, in short Redis, is a fast, open-source, in-memory, key-value data store used as a database, cache, streaming engine, and message broker by millions of developers. Its blazing fast response times (millions of requests per second) allows it to be used in real-time applications such as gaming, caching, session management,ad-tech, financial services, healthcare, real-time analytics, geospatial, ride-hailing, chat/messaging, media streaming, and IoT.
Where Does The Vulnerability Exist In Redis Data Store?
The issue exists in the Lua scripting engine in the Redis datastore. Redis’s scripting engine is developed by Lua programming language, which can be accessed through the eval command. As per the design, the Lua engine should be sandboxed so that Redis clients can only interact with the Redis APIs, and clients shouldn’t be able to execute arbitrary code on the Redis running machine.
This vulnerability is because the Lua library in some Debian/Ubuntu packages is provided as a dynamic library. When the Lua interpreter initializes, the “package” variable is automatically populated, and that in turn permits access to arbitrary Lua functionality. This lets remote attackers with the ability to execute Lua scripts escape the Lua sandbox and execute arbitrary code on the host.
Summary Of CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability In Redis
This is a Critical vulnerability scored 10 out of 10 in the CVSS score.
|Associated CVE ID||CVE-2022-0543|
|Description||A Critical Lua Sandbox Escape Vulnerability in Redis that allows attackers to perform remote code execution on the host running Redis.|
|Associated ZDI ID||–|
|CVSS Score||10.0 Critical|
|Attack Vector (AV)||Network|
|Attack Complexity (AC)||Low|
|Privilege Required (PR)||None|
|User Interaction (UI)||None|
Redis Versions Vulnerable To The CVE-2022-0543 Vulnerability:
Redis versions less than equal to redis/5:5.0.14-1+deb10u1, redis/5:5.0.3-4, redis/5:6.0.15-1 are said to be vulnerable to the flaw. Please check the versions of the Redis server running on your server and take action to fix the CVE-2022-0543 vulnerability if you see any of these versions. Since this vulnerability affects the Lua library in some Debian/Ubuntu packages, Debian-based Linux distributions like Ubuntu, Linux Mint, Raspberry Pi OS are all affected.
Command to check the Redis server version:
$ sudo redis-server --version
How To Test Your Server Is Vulnerable To The CVE-2022-0543 Vulnerability?
Reginaldo Silva presented proof of concept to show how this flaw be tested on the servers running the Redis server.
Run this command If you see the Redis server running on your Debian and Ubuntu servers with version less than or equal to redis/5:5.0.14-1+deb10u1, redis/5:5.0.3-4, redis/5:6.0.15-1.
> eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("cat /etc/passwd", "r"); local res = f:read("*a"); f:close(); return res' 0
In this below picture author is able to achieve code execution by dumping the contents of /etc/passwd.
Attacks Detected Targeting Lua Sandbox Escape Vulnerability:
Juniper Threat Labs identified cyberattacks targeting this vulnerability. Their analytics says that the attacks have been started on 11 Mar 2022 from the same hands behind Log4j2. Threat actors have been using a variant of Muhstik bot to exploit this vulnerability. Technical analysis says that initially, the bot downloads russia.sh script from “106[.]246.224.219” and save it in “/tmp/russ” and runs it. Later russia.sh script downloads more malware programs from 160[.]16.58.163 and runs them for further exploit. Please read the more technical details from here.
Indicators of Compromise
- 4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197 pty1
- 46389c117c5f41b60e10f965b3674b3b77189b504b0aeb5c2da67adf55a7129f pty10
- 95d1fca8bea30d9629fdf05e6ba0fc6195eb0a86f99ea021b17cb8823db9d78b pty2
- 7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3 pty3
- 16b4093813e2923e9ee70b888f0d50f972ac607253b00f25e4be44993d263bd2 pty4
- 28443c0a9bfd8a12c12a2aad3cc97d2e8998a9d8825fcf3643d46012f18713f0 pty5
- 36a2ac597030f3f3425153f5933adc3ca62259c35f687fde5587b8f5466d7d54 russia.sh
How To Fix CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability In Redis?
The best possible way to fix the CVE-2022-0543 vulnerability is to upgrade to the fixed or latest available versions. This vulnerability is fixed in redis/5:6.0.16-1+deb11u2, redis/5:5.0.14-1+deb10u2, redis/5:6.0.16-2, redis/5:7.0~rc2-2 Redis server versions. Please upgrade your Redis to any of these versions. You will get Redis server v 5.0.7 as the default version when you install from its apt repositories, which is vulnerable. Please follow these steps to upgrade your Redis server from v5.x to stable 6.x.
How to fix CVE-2022-0543?
Upgrade the Redis server from 5.x to new stable 6.x.
- Check the version of the Redis server on Ubuntu
Run this command to check the Redis server version:
$ sudo redis-server –version
- Add apt source repositories
Run these commands to add the official apt source:
$ sudo curl -fsSL https://packages.redis.io/gpg | sudo gpg –dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg
$ sudo echo “deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb
$(lsb_release -cs) main” | sudo tee /etc/apt/sources.list.d/redis.list
- Update apt repository and install Redis server
Run these two commands to update the apt repository and install the Redis server:
$ sudo apt update
$ sudo apt install redis
- Validate the Redis server version
Check the Redis server version again to validate the successful upgradation:
$ sudo redis-server –version
We hope this post will help you know How to Fix CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability in Redis. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.