Vulnerabilities > CVE-2016-10517 - 7PK - Security Features vulnerability in Redislabs Redis

047910
CVSS 7.4 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
redislabs
CWE-254
nessus
NVD
Published: 2017-10-24
Updated: 2018-08-08

Summary

networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a check for POST and Host: strings, which are not valid in the Redis protocol (but commonly occur when an attack triggers an HTTP request to the Redis TCP port).

Vulnerable Configurations

Part Description Count
Application
Redislabs
183

Common Weakness Enumeration (CWE)

Nessus

NASL familySuSE Local Security Checks
NASL idOPENSUSE-2017-1258.NASL
descriptionThis update for redis to version 4.0.2 fixes the following issues : - CVE-2016-8339: CONFIG SET client-output-buffer-limit Code Execution Vulnerability (boo#1002351) The following upstream changes are included : - SLOWLOG now logs the offending client name and address - The modules native data types RDB format changed. - The AOF check utility is now able to deal with RDB preambles. - GEORADIUS_RO and GEORADIUSBYMEMBER_RO variants, not supporting the STORE option, were added in order to allow read-only scaling of such queries. - HSET is now variadic, and HMSET is considered deprecated - GEORADIUS huge radius (>= ~6000 km) corner cases fixed - HyperLogLog commands no longer crash on certain input (non HLL) strings. - Fixed SLAVEOF inside MULTI/EXEC blocks. - TCP binding bug fixed when only certain addresses were available for a given por - MIGRATE could crash the server after a socket error
last seen2020-06-05
modified2017-11-13
plugin id104521
published2017-11-13
reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/104521
titleopenSUSE Security Update : redis (openSUSE-2017-1258)
code
#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2017-1258.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(104521);
  script_version("3.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2016-10517", "CVE-2016-8339");

  script_name(english:"openSUSE Security Update : redis (openSUSE-2017-1258)");
  script_summary(english:"Check for the openSUSE-2017-1258 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for redis to version 4.0.2 fixes the following issues :

  - CVE-2016-8339: CONFIG SET client-output-buffer-limit
    Code Execution Vulnerability (boo#1002351)

The following upstream changes are included :

  - SLOWLOG now logs the offending client name and address

  - The modules native data types RDB format changed.

  - The AOF check utility is now able to deal with RDB
    preambles.

  - GEORADIUS_RO and GEORADIUSBYMEMBER_RO variants, not
    supporting the STORE option, were added in order to
    allow read-only scaling of such queries.

  - HSET is now variadic, and HMSET is considered deprecated

  - GEORADIUS huge radius (>= ~6000 km) corner cases fixed

  - HyperLogLog commands no longer crash on certain input
    (non HLL) strings.

  - Fixed SLAVEOF inside MULTI/EXEC blocks.

  - TCP binding bug fixed when only certain addresses were
    available for a given por

  - MIGRATE could crash the server after a socket error"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1064980"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected redis packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:redis");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:redis-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:redis-debugsource");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/11/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE42.2", reference:"redis-4.0.2-8.3.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"redis-debuginfo-4.0.2-8.3.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"redis-debugsource-4.0.2-8.3.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"redis-4.0.2-11.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"redis-debuginfo-4.0.2-11.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"redis-debugsource-4.0.2-11.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "redis / redis-debuginfo / redis-debugsource");
}

References