Vulnerabilities > CVE-2016-8339 - Out-of-bounds Write vulnerability in Redislabs Redis

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
redislabs
CWE-787
critical
nessus

Summary

A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. An out of bounds write vulnerability exists in the handling of the client-output-buffer-limit option during the CONFIG SET command for the Redis data structure store. A crafted CONFIG SET command can lead to an out of bounds write potentially resulting in code execution.

Vulnerable Configurations

Part Description Count
Application
Redislabs
4

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201702-16.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201702-16 (Redis: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Redis. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, able to connect to a Redis instance, could issue malicious commands possibly resulting in the execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id97259
    published2017-02-21
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/97259
    titleGLSA-201702-16 : Redis: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201702-16.
    #
    # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97259);
      script_version("$Revision: 3.1 $");
      script_cvs_date("$Date: 2017/02/21 14:37:43 $");
    
      script_cve_id("CVE-2015-4335", "CVE-2015-8080", "CVE-2016-8339");
      script_xref(name:"GLSA", value:"201702-16");
    
      script_name(english:"GLSA-201702-16 : Redis: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201702-16
    (Redis: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in Redis. Please review
          the CVE identifiers referenced below for details.
      
    Impact :
    
        A remote attacker, able to connect to a Redis instance, could issue
          malicious commands possibly resulting in the execution of arbitrary code
          with the privileges of the process or a Denial of Service condition.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201702-16"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Redis 3.0.x users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=dev-db/redis-3.0.7'
        All Redis 3.2.x users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=dev-db/redis-3.2.5'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:redis");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/02/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"dev-db/redis", unaffected:make_list("ge 3.2.5", "ge 3.0.7"), vulnerable:make_list("lt 3.2.5"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Redis");
    }
    
  • NASL familyMisc.
    NASL idREDIS_CVE-2016-8339.NASL
    descriptionThe version of Redis installed on the remote host is affected by a remote code execution vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id109325
    published2018-04-24
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109325
    titlePivotal Software Redis 3.2.x < 3.2.4 RCE
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1258.NASL
    descriptionThis update for redis to version 4.0.2 fixes the following issues : - CVE-2016-8339: CONFIG SET client-output-buffer-limit Code Execution Vulnerability (boo#1002351) The following upstream changes are included : - SLOWLOG now logs the offending client name and address - The modules native data types RDB format changed. - The AOF check utility is now able to deal with RDB preambles. - GEORADIUS_RO and GEORADIUSBYMEMBER_RO variants, not supporting the STORE option, were added in order to allow read-only scaling of such queries. - HSET is now variadic, and HMSET is considered deprecated - GEORADIUS huge radius (>= ~6000 km) corner cases fixed - HyperLogLog commands no longer crash on certain input (non HLL) strings. - Fixed SLAVEOF inside MULTI/EXEC blocks. - TCP binding bug fixed when only certain addresses were available for a given por - MIGRATE could crash the server after a socket error
    last seen2020-06-05
    modified2017-11-13
    plugin id104521
    published2017-11-13
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104521
    titleopenSUSE Security Update : redis (openSUSE-2017-1258)

Seebug

bulletinFamilyexploit
description### Summary An out of bounds write vulnerability exists in the handling of the client-output-buffer-limit option during the CONFIG SET command for the Redis data structure store. A crafted CONFIG SET command can lead to an out of bounds write potentially resulting in code execution. ### Tested Versions Redis - 3.2.3 ### Product URLs http://redis.io/ ### CVSSv3 Score 6.6 - CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H ### Details Redis is a simple in-memory data structure store using a key-value model. Redis has been growing in popularity due to its ability to handle problems that other databases can't solve or are inherently slow at. An out of bounds write vulnerability exists during the modification of the `client-output-buffer-limit` option using the `CONFIG SET` command. The required syntax for setting the `client-output-buffer-limit` option is shown below. ``` CONFIG SET client-output-buffer-limit <class> <hard limit> <soft limit> <soft seconds> ``` This option sets the limits for disconnecting clients of a certain class. This option is set using the following code: ``` src/config.c 849 /* Finally set the new config */ 850 for (j = 0; j < vlen; j += 4) { 851 int class; 852 unsigned long long hard, soft; 853 int soft_seconds; 854 855 class = getClientTypeByName(v[j]); 856 hard = strtoll(v[j+1],NULL,10); 857 soft = strtoll(v[j+2],NULL,10); 858 soft_seconds = strtoll(v[j+3],NULL,10); 859 860 server.client_obuf_limits[class].hard_limit_bytes = hard; 861 server.client_obuf_limits[class].soft_limit_bytes = soft; 862 server.client_obuf_limits[class].soft_limit_seconds = soft_seconds; 863 } src/networking.c 1747 int getClientTypeByName(char *name) { 1748 if (!strcasecmp(name,"normal")) return CLIENT_TYPE_NORMAL; // 0 1749 else if (!strcasecmp(name,"slave")) return CLIENT_TYPE_SLAVE; // 1 1750 else if (!strcasecmp(name,"pubsub")) return CLIENT_TYPE_PUBSUB; // 2 1751 else if (!strcasecmp(name,"master")) return CLIENT_TYPE_MASTER; // 3 1752 else return -1; 1753 } ``` In the parsing of `client-output-buffer-limit` a call to `getClientTypeByName` is used to retrieve the corresponding class's type. In this case, `getClientTypeByName` returns a value in the set of [-1, 3]. Looking at the declaration of the `client_obuf_limits` array, we see that the size of the array is `3`. ``` src/server.h 704 struct redisServer { ... 796 clientBufferLimitsConfig client_obuf_limits[CLIENT_TYPE_OBUF_COUNT]; ... 980 } src/server.h 292 #define CLIENT_TYPE_OBUF_COUNT 3 /* Number of clients to expose to output ``` Although `client-output-buffer-limit` is only expecting clients of types `normal`, `slave`, and `pubsub`, `master` is also a valid client. By providing a client type of `master`, the `client_obuf_limit` array is overflown and subsequent structure variables are overwritten. A sample command exercising this vulnerability is below: ``` CONFIG SET client-output-buffer-limit "master 3735928559 3405691582 373529054" ``` ### Timeline * 2016-09-22 - Vendor Disclosure * 2016—09-26 - Public Release
idSSV:96671
last seen2017-11-19
modified2017-10-12
published2017-10-12
reporterRoot
titleRedis CONFIG SET client-output-buffer-limit command Code Execution Vulnerability(CVE-2016-8339)

Talos

idTALOS-2016-0206
last seen2019-05-29
published2016-09-30
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0206
titleRedis CONFIG SET client-output-buffer-limit command Code Execution Vulnerability