[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [ oss-security ] CVE-2016-10517: CSRF in redis < 3.2.7
From: Thomas Calderon <calderon.thomas () gmail ! com>
Date: 2017-10-25 8:29:09
Message-ID: CA+1ewKZdtF6+ZsXznZP43Tw0ERCV8dHOKd6oTODx2wG7OcLc7w () mail ! gmail ! com
[Download RAW message or body]
Hi all,
I have requested a CVE from MITRE for an issue that was present in Redis <
3.2.7.
They have assigned CVE-2016-10517 for the following:
[Suggested description]
Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a
check for POST and Host: strings, which are not valid in the Redis protocol
(but commonly occur when an attack triggers an HTTP request to the Redis
TCP port).
------------------------------------------
[Additional Information]
Before Redis 3.2.7 the Host: and POST could be used to process the
remaining pipeline if there are pending commands. Therefore it is possible
to perform a "Cross Scripting" attack, that usually involves trying to feed
Redis with HTTP in order to execute commands. Example: a developer is
running a local copy of Redis for development purposes. She also runs a
web browser in the same computer. The web browser could send an HTTP
request to http://127.0.0.1:6379 in order to access the Redis instance,
since a specially crafted HTTP request may also be partially valid Redis
protocol. However if POST and Host: break the connection, this problem
should be avoided. IMPORTANT: It is important to realise that it is not
impossible that another way will be found to talk with a localhost Redis
using a Cross Protocol attack not involving sending POST or Host: so this
is only a layer of protection but not a definitive fix for this class of
issues.
------------------------------------------
[Vulnerability Type]
Cross Site Request Forgery (CSRF)
------------------------------------------
[Vendor of Product]
Pivotal Software
------------------------------------------
[Affected Product Code Base]
Redis - <3.2.7
------------------------------------------
[Affected Component]
redis_server
[Attack Vectors]
Have a user that has a local redis instance running browse an attacker
controlled website and perform a DNS rebinding attack in order to POST data
to http://127.0.0.1:6379.
------------------------------------------
[Reference]
https://github.com/antirez/redis/commit/874804da0c014a7d704b3d285aa500098a931f50
https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES
https://blog.bugreplay.com/2017/05/for-users-of-redis-running-locally-can-be-dangerous.html
https://www.reddit.com/r/redis/comments/5r8wxn/redis_327_is_out_important_security_fixes_inside/
------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic