Many Internet-exposed servers affected by exploited Redis vulnerability
Rapid7 security researchers have identified 2,000 Internet-facing Linux servers that appear to be affected by a Redis vulnerability that has been exploited in attacks.
Tracked as CVE-2022-0543, the security hole has a CVSS score of 10 and is described as insufficient disinfection in Lua. While Redis statically links the Lua library, some Debian/Ubuntu packages dynamically link it, which leads to a sandbox escape that can be exploited to achieve remote code execution.
Debian and Ubuntu announced fixes for the bug on February 18. On March 8, however, Brazilian security researcher Reginaldo Silva, credited with finding the problem, released proof-of-concept code targeting it.
Wild exploitation of this vulnerability began days later, and the US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its catalog of known exploited vulnerabilities in late March.
Now, Rapid7 says a Metasploit module was made available on April 26 and warns that “attackers will continue to exploit this vulnerability opportunistically as long as there are targets to exploit on the Internet.”
[ READ: Over 300,000 Internet-Exposed Databases Identified in 2021 ]
According to Rapid7, there are approximately 2,000 potentially exploitable targets there, namely Ubuntu/Debian instances that have Redis configured in an unsafe, non-default state, and are exposed to the internet.
However, the researchers also note that there are approximately 33,000 Redis servers that allow unauthenticated access from the Internet, as well as others that are publicly available but require authentication.
“2,000 hosts is the hard limit of potentially internet-vulnerable Redis servers that can be operated without authentication. In fact, we don’t know how many of these hosts installed Redis using an affected package or if they were patched,” Rapid7 notes.
The researchers believe that some of these servers could be honeypots, but point out that, overall, the number of targets vulnerable to CVE-2022-0543 appears to be higher than originally thought.
“Given that an exploit has been released in the wild, it’s probably reasonable to push back the priority of patching this vulnerability within your own organization,” Rapid7 concludes.
Related: Microsoft Warns of “Nimbuspwn” Security Flaws Haunting Linux
Related: How Linux Became the New Bullseye for Villains
Related: 8,000 Unprotected Redis Instances Accessible From the Internet