oss-sec mailing list archives
[ oss-security ] CVE-2016-10517: CSRF in redis < 3.2.7
From: Thomas Calderon <calderon.thomas () gmail com>
Date: Wed, 25 Oct 2017 09:29:09 +0100
Hi all, I have requested a CVE from MITRE for an issue that was present in Redis < 3.2.7. They have assigned CVE-2016-10517 for the following: [Suggested description] Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a check for POST and Host: strings, which are not valid in the Redis protocol (but commonly occur when an attack triggers an HTTP request to the Redis TCP port). ------------------------------------------ [Additional Information] Before Redis 3.2.7 the Host: and POST could be used to process the remaining pipeline if there are pending commands. Therefore it is possible to perform a "Cross Scripting" attack, that usually involves trying to feed Redis with HTTP in order to execute commands. Example: a developer is running a local copy of Redis for development purposes. She also runs a web browser in the same computer. The web browser could send an HTTP request to http://127.0.0.1:6379 in order to access the Redis instance, since a specially crafted HTTP request may also be partially valid Redis protocol. However if POST and Host: break the connection, this problem should be avoided. IMPORTANT: It is important to realise that it is not impossible that another way will be found to talk with a localhost Redis using a Cross Protocol attack not involving sending POST or Host: so this is only a layer of protection but not a definitive fix for this class of issues. ------------------------------------------ [Vulnerability Type] Cross Site Request Forgery (CSRF) ------------------------------------------ [Vendor of Product] Pivotal Software ------------------------------------------ [Affected Product Code Base] Redis - <3.2.7 ------------------------------------------ [Affected Component] redis_server [Attack Vectors] Have a user that has a local redis instance running browse an attacker controlled website and perform a DNS rebinding attack in order to POST data to http://127.0.0.1:6379. ------------------------------------------ [Reference] https://github.com/antirez/redis/commit/874804da0c014a7d704b3d285aa500098a931f50 https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES https://blog.bugreplay.com/2017/05/for-users-of-redis-running-locally-can-be-dangerous.html https://www.reddit.com/r/redis/comments/5r8wxn/redis_327_is_out_important_security_fixes_inside/ ------------------------------------------
Current thread:
- [ oss-security ] CVE-2016-10517: CSRF in redis < 3.2.7 Thomas Calderon (Oct 25)