Redis Vulnerability CVE-2022-0543
Written By Andy Pantelli
In this article we will look at how the Muhstik Malware Group exploited the Redis Vulnerability (CVE-2022-0543) to grow their botnet. Discovered by Reginaldo Silva in January 2022, the vulnerability at that point was given a Common Vulnerability Scoring System (CVSS) score of 10.0 — the highest possible rating. Soon after, both Debian & Ubuntu released patches on 18th February, prompting Debian to release Security Advisory DSA-5081-1-redis—security update on that date, with Ubuntu issuing USN-5316-1: Redis vulnerability on 8th March.
Around this same time Reginaldo Silva also released a Proof-of-Concept code which could exploit the vulnerability. Almost immediately after Juniper Threat Labs discovered an attack beginning on 11th March being executed by the same adversaries that were targeting systems vulnerable to Log4j. With the exploit ‘in-the-wild’ the US Cybersecurity and Infrastructure Agency (CISA) added the bug to their Known Vulnerabilities Database in late March. Researchers at Rapid7 gave indication that up to 2000 internet facing Linux servers had been exploited by April 2022, although the report did also state that number was potentially upwards of 30,000. Rapid7 were to go on to detail that a Metasploit module became available on 26th April and state that “attackers will continue to opportunistically exploit this vulnerability as long as there are internet facing targets to exploit.”
Redis
Redis is the Remote Dictionary Service Server, a NoSQL open-source data structure store. Redis has gained popularity with Developers recently due to its fast performance. Using LUA, a lightweight programming language designed specifically for embedded use in applications. This documented that a remote attacker with the ability to execute arbitrary Lua scripts could escape the sandbox and executer arbitrary code on the host.
CVE-2022-0543
The developers did not anticipate the flaw and released the code with the intent that the Redis client would only be able to interact with the Redis APIs within the sandbox. The expected behaviour of the sandboxed Lua would be that executing arbitrary code on the machine running Redis would not be possible. By failing to sanitise the interface the developers allowed attackers to load arbitrary libraries. The module was then able to complete execution as the ‘redis’ user. Being presented as a dynamic library in Debian and Ubuntu packages, thereby when the Lua interpreter is initialized the package variable is automatically populated, which in turn permits arbitrary Lua access & functionality.
Affected versions
The versions at risk are:
- Redis versions 5:5.0.14-1+deb10u1
- Redis/5:5.0.3-4
- Redis/5:6.0.15-1
Identifying the Vulnerabillity
Only systems that are Debian, or Debian-derived are at risk. This means that if your system is a Windows OS or does not have a Debian derivative, then your environment is not at risk. To identify if your system is vulnerable firstly you must identify the base OS that your system is running by viewing the os-release file. To view the contents of this file run the cat /etc/os-release syntax shown in fig1 below in which we can see ‘debian’ on the ID_LIKE line
Then we need to check the version of redis using one of the two commands that are available redis-server –v or redis-server –version
As we can see from the output, the versions running on my lab machines are vulnerable to the CVE-2022-0543.
Mitigate Vulnerability
Next, lets mitigate the vulnerability by updating our source repositories followed by
the apt repository:
Lastly updating the newest version of redis using the syntax sudo apt-install redis
(ignoring author typos…)
Now let’s verify the redis version and confirm we have mitigated the risk:
CVE-2022-0543 – Identify and update summary
In summary, we have learned about the vulnerability CVE-2022-0543 which can exploit the Redis Dictionary Server. We’ve discussed how this vulnerability came to be, and how it was discovered then finally how to mitigate this risk. In the last section, we will learn how the Muhstik group exploited this vulnerability.
Muhstik & Redis
Juniper Threat Labs were to report that the Muhstik group began actively exploiting the vulnerability one day after the Proof-of-Concept was released. This was done by their use of Malware to support their Denial-of-Service Attacks. The group, thought to operate from China are thought to have been involved in targeting Oracle WebLogic Server bugs, and a Drupal RCE flaw CVE-2018-7600. The payload used in the Redis attack was named russia.sh which is downloaded using curl commands or wget from their C2 Server. The script grabs variants of the bot from their IRC server which supports parsing of shell & flood commands, and SSH brute force.
IOCs & IPs
4817893f8e724cbc5186e17f46d316223b7683dcbc9643e364b5913f8d2a9197 pty1 46389c117c5f41b60e10f965b3674b3b77189b504b0aeb5c2da67adf55a7129f pty10 95d1fca8bea30d9629fdf05e6ba0fc6195eb0a86f99ea021b17cb8823db9d78b pty2 7d3855bb09f2f6111d6c71e06e1e6b06dd47b1dade49af0235b220966c2f5be3 pty3 16b4093813e2923e9ee70b888f0d50f972ac607253b00f25e4be44993d263bd2 pty4 28443c0a9bfd8a12c12a2aad3cc97d2e8998a9d8825fcf3643d46012f18713f0 pty5 36a2ac597030f3f3425153f5933adc3ca62259c35f687fde5587b8f5466d7d54 russia.sh
Download IP
106[.]246.224.219
160[.]16.58.163
Attacker IP
104[.]236.150.159
170[.]210.45.163
146[.]185.136.187
178[.]62.69.4
191[.]232.38.25
79[.]172.212.132
221[.]120.103.253
Conclusion
It is strongly advised to update and patch systems with the Redis Server. Both Debian and Ubuntu have released security advisories. Patching and advisories are referenced in this article to assist you to identify, and updating your system if necessary.
REFERENCES
Debian Security Advisory – https://security-tracker.debian.org/tracker/CVE-2022-0543
Ubuntu Security Advisory – https://ubuntu.com/security/CVE-2022-0543
Juniper Threat Labs – https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers
Rapid7 – https://www.rapid7.com/db/modules/exploit/linux/redis/redis_debian_sandbox_escape/
