Aqua Nautilus revealed a new undetected threat targeting a critical vulnerability CVE-2022-0543 discovered in the Lua scripting engine in the Redis datastore. Since the malware is written in the go language and can be capable of riding the vulnerable Redis server, Aqua’s research team, Nautilus, named the malware Redigo. As per the report shared, Redigo enables adversaries to take over the vulnerable Redis server and change the role of the server to act as a client to the adversaries’ rogue Redis server. Once the attackers establish their control on the victim Redis server, they can abuse the compromised Redis server to join their bot network to carry out distributed denial of service attacks, steal sensitive information on the compromised server, or even use the victim’s resources in crypto mining activities. Considering all these implications, it is good to know what is Redigo malware and how to protect your Redis server from Redigo malware.
What Is Redis?
Redis is an open-source, in-memory data store used as a database, cache, and message broker. Redis is often referred to as a NoSQL or key-value store that serves up fast access to stored data structures. It supports various data types such as strings, hashes, lists, sets, and sorted sets with range queries, bitmaps, hyperlogs, and geospatial indexes.
Redis also provides high availability via its master-slave replication feature. It allows data fetching and delivery in a short response time, allowing millions of requests per second. Redis is highly scalable and can support up to 2000+ client connections per second. It is terrifically faster than a relational database. It is often used for gaming applications, real-time analytics, leaderboards, user profiles, and session management, web page rendering, caching, and more.
Redis is written in C and is designed to be very fast and efficient with memory as well as storage. It also supports cluster mode allowing for easy horizontal scaling. With its robust feature set and performance benefits, Redis has become a popular choice among developers looking for an effective data storage solution.
Summary Of CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability In Redis
Well, the CVE-2022-0543 vulnerability was disclosed in March 2022. To give you the background once again, The issue exists in the Lua scripting engine in the Redis datastore, the scripting engine developed by Lua programming language, which can be accessed through the eval command. As per the design, the Lua engine should be sandboxed so that Redis clients can only interact with the Redis APIs, and clients shouldn’t be able to execute arbitrary code on the Redis running machine.
This vulnerability is because the Lua library in some Debian/Ubuntu packages is provided as a dynamic library. When the Lua interpreter initializes, the “package” variable is automatically populated, and that in turn, permits access to arbitrary Lua functionality. This lets remote attackers with the ability to execute Lua scripts escape the Lua sandbox and execute arbitrary code on the host.
This is a Critical vulnerability scored 10 out of 10 in the CVSS score.
|Associated CVE ID||CVE-2022-0543|
|Description||A Critical Lua Sandbox Escape Vulnerability in Redis that allows attackers to perform remote code execution on the host running Redis.|
|Associated ZDI ID||–|
|CVSS Score||10.0 Critical|
|Attack Vector (AV)||Network|
|Attack Complexity (AC)||Low|
|Privilege Required (PR)||None|
|User Interaction (UI)||None|
A Short Note About Redigo Malware:
This is a backdoor malware designed to target the Redis servers vulnerable to CVE-2022-0543. Redogp initially tries to scan the vulnerable Redis servers exposed to the internet on port 6379 and tries to connect and delivers the shared dynamic library exp_lin.so which helps the attackers to download the exploits, run the commands & arbitrary code, elevate the privileges, and finally steal the sensitive data, or complete takeover the Redis server.
It is difficult to identify the malware as it operates on port 6379, which is the official Redis communication port on that Redis client-server communication happens. Once the attacker succeeds in delivering the Redigo malware, he can turn the compromised Redis server into a slave and create a command-and-control relationship between the attacker’s rough Redis server and the victim Redis server, which will become client post-compromise.
This go language backdoor not just helps advisories to maintain persistence, but it also helps to join their bot network to carry out distributed denial of service attacks, steal sensitive information on the compromised server, or even use victims’ resources in crypto mining activities.
The Attack Flow of Redigo Malware
Let’s learn the attack flow of Redis malware in different phases in this section.
Initial Access Phase: In the initial attack phase, advisories scan the Redis servers exposed to the internet on port 6379 and run a few commands that help advisories create the attack surface. See the list of commands it tries to execute once the victim Redis server is connected.
Execution Phase: Once the dynamic library (exp_lin.so) is loaded on the victim Redis server, it executes the commands, download and run the Redigo malware and execute code that exploits the CVE-2022-0543 Vulnerability.
Information Steal: Stealing sensitive information or gathering the victim’s information is not a new thing. Most of the malware do this for their benefit. Redis tries to gather resource statistics such as the server, memory, and CPU of its targets.
Report to the Attacker’s Redis server: The attacker’s Redis servers use network port 6379 to communicate with the compromised Redis server. This makes most of the security solutions fail to identify the Redis malware.
Don’t forget to read the technical details from Aqua Nautilus, the team who disclosed the Redis malware by deploying honey pot.
How to Protect Your Redis Server from Redigo Malware?
Considering its ability to cause damage, it is highly important to protect your Redis server from Redigo malware. Redigo malware is an extremely dangerous type of malware that can compromise the security of your Redis server to join their bot network to carry out distributed denial of service attacks, steal sensitive information on the compromised server, or even use the victim’s resources in crypto mining activities. As this malware works by exploiting the CVE-2022-0543 Vulnerability in the Redis database, it is important to take steps to protect your Redis server from Redigo malware.
Fix the CVE-2022-0543 Vulnerability on the Redis server: The first step in protecting your Redis server is to ensure that your server is up to date with the latest version of Redis. Redis versions less than equal to redis/5:5.0.14-1+deb10u1, redis/5:5.0.3-4, redis/5:6.0.15-1 are said to be vulnerable to the flaw. This Vulnerability is fixed in redis/5:6.0.16-1+deb11u2, redis/5:5.0.14-1+deb10u2, redis/5:6.0.16-2, redis/5:7.0~rc2-2 Redis server versions. Please upgrade your Redis to any of these versions. Please read more details about the CVE-2022-0543 Vulnerability to fix.
Command to check the Redis server version:
$ sudo redis-server --version
Block the unauthorized traffic and IoCs on the Firewalls: You should also consider setting up a firewall on your server to prevent unauthorized connections from outside sources on port 6379. This will help protect your server from malicious attacks and make it harder for attackers to access your data. It is highly recommended to block the IoCs captures in the analysis on the firewalls.
Hardening of Redis servers: Disabling the Redis protocol command should be done if possible. Disabling this command can help stop attackers from running undesired Redis commands such as slave of. It is important to take the Redis server off the internet. Keep it behind a secured VPN.
Scan your supply chain: Implement software supply chain audits based on CIS Software Supply Chain benchmark using tools like Chain-Bench.
Follow all the security guidelines: Don’t skip any security guidelines like keeping the software up to date, deploying a strong authentication system, scanning for vulnerabilities and patching them, and implementing a good monitoring system to be alerted.
By following the steps above, you can greatly reduce the risk of your Redis server being compromised by Redigo Backdoor malware. It is important to stay vigilant and regularly update your software to ensure that your server remains secure. Taking these precautions can help protect your data from malicious attacks and make sure that it remains safe when using a Redis database.
If you want to fix the CVE-2022-0543 Vulnerability on your Redis server, upgrade your Redis server to the fixed versions. Follow these steps to upgrade your Redis server.
Time needed: 10 minutes.
How to Upgrade Redis server?
Upgrade the Redis server from 5.x to new stable 6.x.
- Check the version of the Redis server on Ubuntu
Run this command to check the Redis server version:
$ sudo redis-server –version
- Add apt source repositories
Run these commands to add the official apt source:
$ sudo curl -fsSL https://packages.redis.io/gpg | sudo gpg –dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg
$ sudo echo “deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb
$(lsb_release -cs) main” | sudo tee /etc/apt/sources.list.d/redis.list
- Update apt repository and install Redis server
Run these two commands to update the apt repository and install the Redis server:
$ sudo apt update
$ sudo apt install redis
- Validate the Redis server version
Check the Redis server version again to validate the successful upgradation:
$ sudo redis-server –version
We hope this article helped in understanding what is Redigo malware and how to protect your Redis server from Redigo malware. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.