Vulnerabilities > CVE-2016-8339 - Out-of-bounds Write vulnerability in Redislabs Redis
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. An out of bounds write vulnerability exists in the handling of the client-output-buffer-limit option during the CONFIG SET command for the Redis data structure store. A crafted CONFIG SET command can lead to an out of bounds write potentially resulting in code execution.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201702-16.NASL description The remote host is affected by the vulnerability described in GLSA-201702-16 (Redis: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Redis. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, able to connect to a Redis instance, could issue malicious commands possibly resulting in the execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 97259 published 2017-02-21 reporter This script is Copyright (C) 2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/97259 title GLSA-201702-16 : Redis: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201702-16. # # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(97259); script_version("$Revision: 3.1 $"); script_cvs_date("$Date: 2017/02/21 14:37:43 $"); script_cve_id("CVE-2015-4335", "CVE-2015-8080", "CVE-2016-8339"); script_xref(name:"GLSA", value:"201702-16"); script_name(english:"GLSA-201702-16 : Redis: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201702-16 (Redis: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Redis. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, able to connect to a Redis instance, could issue malicious commands possibly resulting in the execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201702-16" ); script_set_attribute( attribute:"solution", value: "All Redis 3.0.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/redis-3.0.7' All Redis 3.2.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/redis-3.2.5'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:redis"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2017/02/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-db/redis", unaffected:make_list("ge 3.2.5", "ge 3.0.7"), vulnerable:make_list("lt 3.2.5"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Redis"); }NASL family Misc. NASL id REDIS_CVE-2016-8339.NASL description The version of Redis installed on the remote host is affected by a remote code execution vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 109325 published 2018-04-24 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109325 title Pivotal Software Redis 3.2.x < 3.2.4 RCE NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-1258.NASL description This update for redis to version 4.0.2 fixes the following issues : - CVE-2016-8339: CONFIG SET client-output-buffer-limit Code Execution Vulnerability (boo#1002351) The following upstream changes are included : - SLOWLOG now logs the offending client name and address - The modules native data types RDB format changed. - The AOF check utility is now able to deal with RDB preambles. - GEORADIUS_RO and GEORADIUSBYMEMBER_RO variants, not supporting the STORE option, were added in order to allow read-only scaling of such queries. - HSET is now variadic, and HMSET is considered deprecated - GEORADIUS huge radius (>= ~6000 km) corner cases fixed - HyperLogLog commands no longer crash on certain input (non HLL) strings. - Fixed SLAVEOF inside MULTI/EXEC blocks. - TCP binding bug fixed when only certain addresses were available for a given por - MIGRATE could crash the server after a socket error last seen 2020-06-05 modified 2017-11-13 plugin id 104521 published 2017-11-13 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/104521 title openSUSE Security Update : redis (openSUSE-2017-1258)
Seebug
| bulletinFamily | exploit |
| description | ### Summary An out of bounds write vulnerability exists in the handling of the client-output-buffer-limit option during the CONFIG SET command for the Redis data structure store. A crafted CONFIG SET command can lead to an out of bounds write potentially resulting in code execution. ### Tested Versions Redis - 3.2.3 ### Product URLs http://redis.io/ ### CVSSv3 Score 6.6 - CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H ### Details Redis is a simple in-memory data structure store using a key-value model. Redis has been growing in popularity due to its ability to handle problems that other databases can't solve or are inherently slow at. An out of bounds write vulnerability exists during the modification of the `client-output-buffer-limit` option using the `CONFIG SET` command. The required syntax for setting the `client-output-buffer-limit` option is shown below. ``` CONFIG SET client-output-buffer-limit <class> <hard limit> <soft limit> <soft seconds> ``` This option sets the limits for disconnecting clients of a certain class. This option is set using the following code: ``` src/config.c 849 /* Finally set the new config */ 850 for (j = 0; j < vlen; j += 4) { 851 int class; 852 unsigned long long hard, soft; 853 int soft_seconds; 854 855 class = getClientTypeByName(v[j]); 856 hard = strtoll(v[j+1],NULL,10); 857 soft = strtoll(v[j+2],NULL,10); 858 soft_seconds = strtoll(v[j+3],NULL,10); 859 860 server.client_obuf_limits[class].hard_limit_bytes = hard; 861 server.client_obuf_limits[class].soft_limit_bytes = soft; 862 server.client_obuf_limits[class].soft_limit_seconds = soft_seconds; 863 } src/networking.c 1747 int getClientTypeByName(char *name) { 1748 if (!strcasecmp(name,"normal")) return CLIENT_TYPE_NORMAL; // 0 1749 else if (!strcasecmp(name,"slave")) return CLIENT_TYPE_SLAVE; // 1 1750 else if (!strcasecmp(name,"pubsub")) return CLIENT_TYPE_PUBSUB; // 2 1751 else if (!strcasecmp(name,"master")) return CLIENT_TYPE_MASTER; // 3 1752 else return -1; 1753 } ``` In the parsing of `client-output-buffer-limit` a call to `getClientTypeByName` is used to retrieve the corresponding class's type. In this case, `getClientTypeByName` returns a value in the set of [-1, 3]. Looking at the declaration of the `client_obuf_limits` array, we see that the size of the array is `3`. ``` src/server.h 704 struct redisServer { ... 796 clientBufferLimitsConfig client_obuf_limits[CLIENT_TYPE_OBUF_COUNT]; ... 980 } src/server.h 292 #define CLIENT_TYPE_OBUF_COUNT 3 /* Number of clients to expose to output ``` Although `client-output-buffer-limit` is only expecting clients of types `normal`, `slave`, and `pubsub`, `master` is also a valid client. By providing a client type of `master`, the `client_obuf_limit` array is overflown and subsequent structure variables are overwritten. A sample command exercising this vulnerability is below: ``` CONFIG SET client-output-buffer-limit "master 3735928559 3405691582 373529054" ``` ### Timeline * 2016-09-22 - Vendor Disclosure * 2016—09-26 - Public Release |
| id | SSV:96671 |
| last seen | 2017-11-19 |
| modified | 2017-10-12 |
| published | 2017-10-12 |
| reporter | Root |
| title | Redis CONFIG SET client-output-buffer-limit command Code Execution Vulnerability(CVE-2016-8339) |
Talos
| id | TALOS-2016-0206 |
| last seen | 2019-05-29 |
| published | 2016-09-30 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0206 |
| title | Redis CONFIG SET client-output-buffer-limit command Code Execution Vulnerability |