Securing your REmote DIctionary Server (Redis)

What is Redis:

REmote Dictionary Server (REDIS)  is a data structure server designed to be accessed by trusted clients inside a trusted environment. It is open-source, networked, in-memory, and stores keys with optional durability. For more details, read the documents listed in the references section below.

Vulnerability description:

The IPs of vulnerable servers are open to access using the "redis-cli" program (packaged with Redis server) or telnet. Malicous intruders may be able to use the command "redis-cli -h [IP]", followed by "info" to obtain the Redis server version being used on the host. This client access can be used to obtain full control of a Redis server and the content it is storing.

Affected versions:

All versions of redis

How to verify if your server is vulnerable:

Use the following command to collect the information about your system via the Redis service:

telnet <IP> 6379


Then type

"info"

Output sample:


redis_version:2.8.13
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:d8d8ae7eb8e0f48d
redis_mode:standalone
os:Linux 2.6.32-431.20.3.el6.x86_64 x86_64
arch_bits:64
multiplexing_api:epoll
gcc_version:4.4.7
process_id:2475
run_id:2c8b3f1249de9e99bf97b1eb364a2299dea77978
tcp_port:6379
uptime_in_seconds:15872691
uptime_in_days:183
hz:10
lru_clock:12415594
config_file:/etc/redis/6379.conf

# Clients
connected_clients:2
client_longest_output_list:0
client_biggest_input_buf:60
blocked_clients:0

# Memory
used_memory:611246152
used_memory_human:582.93M
used_memory_rss:632090624
used_memory_peak:696808976
used_memory_peak_human:664.53M
used_memory_lua:33792
mem_fragmentation_ratio:1.03
mem_allocator:jemalloc-3.6.0

# Persistence
[...]

Resolution:

Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.. These are the suggestions for mitigation:

 Different options are available to protect your server or device:

  1. Disable Redis if you are not using it. Is the easiest and the most effective solution.
  2. Implement authentication feature in redis.conf
  3. Use your Firewall to block inbound connections to the Redis service, and only allow the trusted IPs and hosts

External references:

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk