Skip to main content

In Jan 2022, Reginaldo Silva, a Redis maintainer, uncovered a vulnerability in Redis dobbed Lua Sandbox Escape vulnerability that allows remote attackerswith the ability to execute Lua scripts to escape the Lua sandbox and execute arbitrary code on the host. The flaw identified is being tracked under CVE-2022-0543 ID has the highest CVSS score of 10 according to the CVSSv3 scoring system. This vulnerability is a warning for people who run Radis on Debian, Ubuntu, and any Linux distributions run on the Debian platform. Additionally, Juniper found an attack targeting this vulnerability. Considering these factors, we urge people who run Radis on Debian build Linux platform must fix the CVE-2022-0543 vulnerability without further delay. Let’s see how to fix CVE-2022-0543, a Lua Sandbox Escape Vulnerability in Redis that offers attackers remote code execution ability.

What Is Redis?

Remote Dictionary Server, in short Redis, is a fast, open-source, in-memory, key-value data store used as a database, cache, streaming engine, and message broker by millions of developers. Its blazing fast response times (millions of requests per second) allows it to be used in real-time applications such as gaming, caching, session management,ad-tech, financial services, healthcare, real-time analytics, geospatial, ride-hailing, chat/messaging, media streaming, and IoT.

Where Does The Vulnerability Exist In Redis Data Store?

The issue exists in the Lua scripting engine in the Redis datastore. Redis’s scripting engine is developed by Lua programming language, which can be accessed through the eval command. As per the design, the Lua engine should be sandboxed so that Redis clients can only interact with the Redis APIs, and clients shouldn’t be able to execute arbitrary code on the Redis running machine.

This vulnerability is because the Lua library in some Debian/Ubuntu packages is provided as a dynamic library. When the Lua interpreter initializes, the “package” variable is automatically populated, and that in turn permits access to arbitrary Lua functionality. This lets remote attackers with the ability to execute Lua scripts escape the Lua sandbox and execute arbitrary code on the host.

Summary Of CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability In Redis

This is a Critical vulnerability scored 10 out of 10 in the CVSS score.

Associated CVE IDCVE-2022-0543
DescriptionA Critical Lua Sandbox Escape Vulnerability in Redis that allows attackers to perform remote code execution on the host running Redis.
Associated ZDI ID
CVSS Score10.0 Critical
Impact Score6.0
Exploitability Score3.9
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
Confidentiality (C)High
Integrity (I)High
availability (a)High

Redis Versions Vulnerable To The CVE-2022-0543 Vulnerability: 

Redis versions less than equal to redis/5:5.0.14-1+deb10u1, redis/5:5.0.3-4, redis/5:6.0.15-1 are said to be vulnerable to the flaw. Please check the versions of the Redis server running on your server and take action to fix the CVE-2022-0543 vulnerability if you see any of these versions. Since this vulnerability affects the Lua library in some Debian/Ubuntu packages, Debian-based Linux distributions like Ubuntu, Linux MintRaspberry Pi OS are all affected. 

See Also How to Fix CVE-2023-22501- A Critical Broken Authentication Vulnerability in Jira Products?

Please read the advisory from Debian and Ubuntu for more information. Note for Ubuntu: Ubuntu Bionic and Trusty are safe and not affected by this flaw.

Command to check the Redis server version:

$ sudo redis-server --version

How To Test Your Server Is Vulnerable To The CVE-2022-0543 Vulnerability?

Reginaldo Silva presented proof of concept to show how this flaw be tested on the servers running the Redis server.

Run this command If you see the Redis server running on your Debian and Ubuntu servers with version less than or equal to redis/5:5.0.14-1+deb10u1, redis/5:5.0.3-4, redis/5:6.0.15-1.

> eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/", "luaopen_io"); local io = io_l(); local f = io.popen("cat /etc/passwd", "r"); local res = f:read("*a"); f:close(); return res' 0

In this below picture author is able to achieve code execution by dumping the contents of /etc/passwd.  

Attacks Detected Targeting Lua Sandbox Escape Vulnerability:

Juniper Threat Labs identified cyberattacks targeting this vulnerability. Their analytics says that the attacks have been started on 11 Mar 2022 from the same hands behind Log4j2. Threat actors have been using a variant of Muhstik bot to exploit this vulnerability. Technical analysis says that initially, the bot downloads script from “106[.]246.224.219” and save it in “/tmp/russ” and runs it. Later script downloads more malware programs from 160[.]16.58.163 and runs them for further exploit. Please read the more technical details from here

Indicators of Compromise 

  • 4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197  pty1
  • 46389c117c5f41b60e10f965b3674b3b77189b504b0aeb5c2da67adf55a7129f  pty10
  • 95d1fca8bea30d9629fdf05e6ba0fc6195eb0a86f99ea021b17cb8823db9d78b  pty2
  • 7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3  pty3
  • 16b4093813e2923e9ee70b888f0d50f972ac607253b00f25e4be44993d263bd2  pty4
  • 28443c0a9bfd8a12c12a2aad3cc97d2e8998a9d8825fcf3643d46012f18713f0  pty5
  • 36a2ac597030f3f3425153f5933adc3ca62259c35f687fde5587b8f5466d7d54

 Download IP

  • 106[.]246.224.219
  • 160[.]16.58.163

Attacker IP 

  • 104[.]236.150.159
  • 170[.]210.45.163
  • 146[.]185.136.187
  • 178[.]62.69.4
  • 191[.]232.38.25
  • 79[.]172.212.132
  • 221[.]120.103.253

How To Fix CVE-2022-0543- A Critical Lua Sandbox Escape Vulnerability In Redis?

The best possible way to fix the CVE-2022-0543 vulnerability is to upgrade to the fixed or latest available versions. This vulnerability is fixed in redis/5:6.0.16-1+deb11u2, redis/5:5.0.14-1+deb10u2, redis/5:6.0.16-2, redis/5:7.0~rc2-2 Redis server versions. Please upgrade your Redis to any of these versions. You will get Redis server v 5.0.7 as the default version when you install from its apt repositories, which is vulnerable. Please follow these steps to upgrade your Redis server from v5.x to stable 6.x.

How to fix CVE-2022-0543?

Upgrade the Redis server from 5.x to new stable 6.x.

  1. Check the version of the Redis server on Ubuntu

    Run this command to check the Redis server version:

    $ sudo redis-server –version
    check the redis server versuion
  2. Add apt source repositoriesRun these commands to add the official apt source:

    $ sudo curl -fsSL | sudo gpg –dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg
    $ sudo echo “deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg]
    $(lsb_release -cs) main” | sudo tee /etc/apt/sources.list.d/redis.list

    Add apt source repositories
  3. Update apt repository and install Redis serverRun these two commands to update the apt repository and install the Redis server:

    $ sudo apt update
    $ sudo apt install redis

    Update apt repository and install Redis server
  4. Validate the Redis server versionCheck the Redis server version again to validate the successful upgradation:

    $ sudo redis-server –version

    Validate the Redis server version

Leave a Reply