Critical Redis Flaws Enable Remote Code Execution and DoS Attacks

EXECUTIVE SUMMARY:

Two critical Redis vulnerabilities, CVE-2024-51741 and CVE-2024-46981, expose systems to denial-of-service (DoS) and remote code execution (RCE) risks. CVE-2024-51741, affecting Redis 7.0.0+, allows server crashes via malformed ACL selectors and is fixed in versions 7.2.7 and 7.4.2. CVE-2024-46981 exploits Lua scripting for RCE, impacting all Redis versions with Lua enabled.[emaillocker id="1283"]

• CVE-2024-51741: A denial-of-service (DoS) vulnerability with 7.5 cvss Score affecting Redis versions 7.0.0 and newer. It allows an authenticated user with sufficient privileges to create a malformed Access Control List (ACL) selector, which can trigger a server panic and cause a DoS condition.
• CVE-2024-46981: It is a more severe vulnerability with 9.8 cvss score that allows remote code execution (RCE) through the misuse of Lua scripting in Redis. An authenticated attacker can craft a malicious Lua script to manipulate the garbage collector, potentially executing arbitrary code on the server. This vulnerability affects all Redis versions with Lua scripting enabled.

Prompt updates and strict access controls are essential to mitigate the risks posed by Redis vulnerabilities, ensuring system security against DoS and RCE threats.

RECOMMENDATION:

• We strongly recommend you update Redis products to versions 6.2.17, 7.2.7 and 7.4.2.

REFERENCES:

The following reports contain further technical details:
https://cybersecuritynews.com/redis-server-vulnerabilities/