CVE-2023-36824
📋 TL;DR
This vulnerability in Redis allows authenticated users to trigger a heap overflow by executing specially crafted COMMAND GETKEYS or COMMAND GETKEYSANDFLAGS commands, potentially leading to heap corruption and remote code execution. It affects Redis 7.0 versions prior to 7.0.12. Users with ACL rules matching key names are also vulnerable when executing commands with variadic key lists.
💻 Affected Systems
- Redis
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Redis by Redis
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Heap corruption causing Redis service crashes, denial of service, and potential information disclosure through memory leaks.
If Mitigated
Limited to authenticated users only, reducing attack surface if proper authentication and ACL controls are implemented.
🎯 Exploit Status
Exploitation requires authenticated access and specific command crafting. No public exploit code available at advisory time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Redis 7.0.12
Vendor Advisory: https://github.com/redis/redis/security/advisories/GHSA-4cfx-h9gq-xpx3
Restart Required: Yes
Instructions:
1. Download Redis 7.0.12 from official repository. 2. Stop Redis service. 3. Backup configuration and data. 4. Install new version. 5. Restart Redis service. 6. Verify version and functionality.
🔧 Temporary Workarounds
Restrict Command Access
allDisable or restrict access to vulnerable COMMAND GETKEYS and COMMAND GETKEYSANDFLAGS commands via Redis ACL
ACL SETUSER <username> -@all +@read +@write -COMMAND|GETKEYS -COMMAND|GETKEYSANDFLAGS
Network Segmentation
linuxRestrict Redis port access to trusted networks only
iptables -A INPUT -p tcp --dport 6379 -s <trusted_network> -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP
🧯 If You Can't Patch
- Implement strict Redis ACL rules to limit command execution capabilities for all users
- Isolate Redis instances in network segments with strict firewall rules and monitor for suspicious command patterns
🔍 How to Verify
Check if Vulnerable:
Check Redis version: redis-cli --version or INFO command. If version is 7.0.0 through 7.0.11, system is vulnerable.Check Version:
redis-cli --version or redis-cli INFO | grep redis_versionVerify Fix Applied:
After patching, verify version is 7.0.12 or higher and test Redis functionality with normal operations.📡 Detection & Monitoring
Log Indicators:
- Unusual COMMAND GETKEYS or COMMAND GETKEYSANDFLAGS patterns
- Redis crash logs with heap corruption errors
- Multiple authentication attempts from single source
Network Indicators:
- Unusual command sequences on Redis port 6379
- High volume of COMMAND requests from single IP
SIEM Query:
source="redis.log" AND ("COMMAND GETKEYS" OR "COMMAND GETKEYSANDFLAGS") AND NOT user="trusted_user"🔗 References
- https://github.com/redis/redis/releases/tag/7.0.12
- https://github.com/redis/redis/security/advisories/GHSA-4cfx-h9gq-xpx3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIF5MAGYARYUMRFK7PQI7HYXMK2HZE5T/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TDNNH2ONMVNBQ6LUIAOAGDNFPKXNST5K/
- https://security.netapp.com/advisory/ntap-20230814-0009/
- https://github.com/redis/redis/releases/tag/7.0.12
- https://github.com/redis/redis/security/advisories/GHSA-4cfx-h9gq-xpx3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIF5MAGYARYUMRFK7PQI7HYXMK2HZE5T/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TDNNH2ONMVNBQ6LUIAOAGDNFPKXNST5K/
- https://security.netapp.com/advisory/ntap-20230814-0009/
