How To Fix CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability In Redis

In Jan 2022, Reginaldo Silva, a Redis maintainer, uncovered a vulnerability in Redis dobbed Lua Sandbox Escape vulnerability that allows remote attackerswith the ability to execute Lua scripts to escape the Lua sandbox and execute arbitrary code on the host. The flaw identified is being tracked under CVE-2022-0543 ID has the highest CVSS score of 10 according to the CVSSv3 scoring system. This vulnerability is a warning for people who run Radis on Debian, Ubuntu, and any Linux distributions run on the Debian platform. Additionally, Juniper found an attack targeting this vulnerability. Considering these factors, we urge people who run Radis on Debian build Linux platform must fix the CVE-2022-0543 vulnerability without further delay. Let’s see how to fix CVE-2022-0543, a Lua Sandbox Escape Vulnerability in Redis that offers attackers remote code execution ability.

What Is Redis?

Remote Dictionary Server, in short Redis, is a fast, open-source, in-memory, key-value data store used as a database, cache, streaming engine, and message broker by millions of developers. Its blazing fast response times (millions of requests per second) allows it to be used in real-time applications such as gaming, caching, session management,ad-tech, financial services, healthcare, real-time analytics, geospatial, ride-hailing, chat/messaging, media streaming, and IoT.

Where Does The Vulnerability Exist In Redis Data Store?

The issue exists in the Lua scripting engine in the Redis datastore. Redis’s scripting engine is developed by Lua programming language, which can be accessed through the eval command. As per the design, the Lua engine should be sandboxed so that Redis clients can only interact with the Redis APIs, and clients shouldn’t be able to execute arbitrary code on the Redis running machine.

This vulnerability is because the Lua library in some Debian/Ubuntu packages is provided as a dynamic library. When the Lua interpreter initializes, the “package” variable is automatically populated, and that in turn permits access to arbitrary Lua functionality. This lets remote attackers with the ability to execute Lua scripts escape the Lua sandbox and execute arbitrary code on the host.

Summary Of CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability In Redis

This is a Critical vulnerability scored 10 out of 10 in the CVSS score.

Redis Versions Vulnerable To The CVE-2022-0543 Vulnerability:

Redis versions less than equal to redis/5:5.0.14-1+deb10u1, redis/5:5.0.3-4, redis/5:6.0.15-1 are said to be vulnerable to the flaw. Please check the versions of the Redis server running on your server and take action to fix the CVE-2022-0543 vulnerability if you see any of these versions. Since this vulnerability affects the Lua library in some Debian/Ubuntu packages, Debian-based Linux distributions like Ubuntu, Linux Mint, Raspberry Pi OS are all affected. 

Please read the advisory from Debian and Ubuntu for more information. Note for Ubuntu: Ubuntu Bionic and Trusty are safe and not affected by this flaw.

Command to check the Redis server version:

$ sudo redis-server --version

How To Test Your Server Is Vulnerable To The CVE-2022-0543 Vulnerability?

Reginaldo Silva presented proof of concept to show how this flaw be tested on the servers running the Redis server.

Run this command If you see the Redis server running on your Debian and Ubuntu servers with version less than or equal to redis/5:5.0.14-1+deb10u1, redis/5:5.0.3-4, redis/5:6.0.15-1.

> eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("cat /etc/passwd", "r"); local res = f:read("*a"); f:close(); return res' 0

In this below picture author is able to achieve code execution by dumping the contents of /etc/passwd.  

Attacks Detected Targeting Lua Sandbox Escape Vulnerability:

Juniper Threat Labs identified cyberattacks targeting this vulnerability. Their analytics says that the attacks have been started on 11 Mar 2022 from the same hands behind Log4j2. Threat actors have been using a variant of Muhstik bot to exploit this vulnerability. Technical analysis says that initially, the bot downloads russia.sh script from “106[.]246.224.219” and save it in “/tmp/russ” and runs it. Later russia.sh script downloads more malware programs from 160[.]16.58.163 and runs them for further exploit. Please read the more technical details from here. 

Indicators of Compromise 

 Download IP

Attacker IP 

How To Fix CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability In Redis?

The best possible way to fix the CVE-2022-0543 vulnerability is to upgrade to the fixed or latest available versions. This vulnerability is fixed in redis/5:6.0.16-1+deb11u2, redis/5:5.0.14-1+deb10u2, redis/5:6.0.16-2, redis/5:7.0~rc2-2 Redis server versions. Please upgrade your Redis to any of these versions. You will get Redis server v 5.0.7 as the default version when you install from its apt repositories, which is vulnerable. Please follow these steps to upgrade your Redis server from v5.x to stable 6.x.

How to fix CVE-2022-0543?

Upgrade the Redis server from 5.x to new stable 6.x.

Step 1. Check the version of the Redis server on Ubuntu

Run this command to check the Redis server version:

$ sudo redis-server –version

Step 2. Add apt source repositories

Run these commands to add the official apt source:

$ sudo curl -fsSL https://packages.redis.io/gpg | sudo gpg –dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg
$ sudo echo “deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb
$(lsb_release -cs) main” | sudo tee /etc/apt/sources.list.d/redis.list

Step 3. Update the apt repository and install the Redis server

Run these two commands to update the apt repository and install the Redis server:

$ sudo apt update
$ sudo apt install redis

Step 4. Validate the Redis server version

Check the Redis server version again to validate the successful upgradation:

$ sudo redis-server –version

We hope this post will help you know How to Fix CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability in Redis. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.