Vulnerability Discovery and Impact
A fully autonomous artificial intelligence tool has identified a critical remote code execution vulnerability in the Redis in-memory database, marking a significant milestone for automated security research. The flaw, which existed undetected for more than two years, allows an authenticated user to execute arbitrary operating system commands on the machine hosting the Redis instance.
The vulnerability resides in the blocking client code within Redis and was introduced during a code refactor in early 2023. It affects all stable branches from version 7.2.0 onward until the patch was released in early May. The bug involves a use-after-free error in the unblockClientOnKey() function, where the software continues to use a client pointer after that memory has been freed.
Technical Details and Exploitation
The flaw was created through two separate code changes that were harmless individually but dangerous when combined. A refactoring effort in January 2023 added an unchecked function call, while a subsequent change in March 2023 added additional client access after that call. Together, these changes created the exploitable condition that survived multiple security review cycles.
Exploitation requires an authenticated session, but in default Redis deployments, the default user already possesses all necessary privileges. The attack chain proceeds in three stages: first leaking a heap address using a simple Lua script, then manipulating client memory limits to trigger the use-after-free condition, and finally overwriting a function pointer to achieve code execution.
Cloud Exposure and Remediation
The vulnerability is particularly concerning given Redis’s widespread deployment in cloud environments. Analysis shows that Redis is present in a vast majority of cloud environments, with many instances running without any password protection. This combination of high prevalence and weak security postures significantly amplifies the risk posed by this vulnerability.
Users should update their Redis installations immediately to the patched versions released on May 5. Organizations running Redis in cloud environments should verify they have applied the update and should also review their authentication configurations to ensure proper access controls are in place.
Source: The Hacker News
