Redis is an open-source in-memory database server with a simple key-value data structure often used with dynamic web applications.

Problem

If a Redis server is openly accessible from the Internet and no SASL authentification has been configured, anyone who can connect to the server has unrestricted access to the data stored with it. This allows attackers to modify or delete any data or potentially steal sensitive information like login credentials for web applications or customer data from online shops.

Verification

In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 192.168.45.67 with the IP address of the host to check.

To check if a Redis server is openly accessible from the Internet, you can use 'netcat' as follows:

$ (printf "info\r\n"; sleep 1) | netcat 192.168.45.67 6379

An openly accessible Redis server will return information like this:

# Server

redis_version:2.8.17

redis_git_sha1:00000000

redis_git_dirty:0

redis_build_id:4c1d5710660b9479

redis_mode:standalone

os:Linux 3.16.0-4-amd64 x86_64

arch_bits:64

multiplexing_api:epoll

gcc_version:4.9.2

process_id:12738

run_id:178e1ca5be355158cabdb51aa848b4cdd68a5d54

tcp_port:6379

uptime_in_seconds:8785215

uptime_in_days:101

hz:10

lru_clock:7298172

config_file:/etc/redis/redis.conf

Otherwise, netcat will return an error message:

netcat: connect to 192.168.45.67 port 6379 (tcp) failed: Connection refused

or

netcat: connect to 192.168.45.67 port 6379 (tcp) failed: Connection timed out

Solution

• Do not expose your Redis server to the Internet!
• Restrict access to the Redis server to trusted systems (e. g., the web application server) in the server's configuration and/or by blocking incoming connections from the Internet to port 6379/tcp on the firewall.
• Check the security best practices provided by the Redis developers.
• Keep your Redis installation up-to-date. Install available security updates asap.

Further information

• RiskBasedSecurity: Redis: Over 6,000 Installations Compromised
• Duo Labs: Over 18,000 Redis Instances Targeted by Fake Ransomware