Subject: Redis Server Unprotected by Password Authentication

Tech Stack: Redis

Date(s) Issued:

• Published: 06/06/2017
• Last Updated: 04/11/2022

Criticality:

• Severity: Critical
• Misconfiguration: Exposed Redis Server 
• CVSS Score: Not explicitly provided, but categorized as “Critical.”

---

Overview

The critical misconfiguration concerns a Redis server that is not protected by password authentication. Redis, an in-memory data structure store, is used as a database, cache, and message broker. The absence of password protection on the Redis server allows unauthorized remote attackers to gain full access to the server, potentially leading to data breaches, unauthorized data manipulation, or even full server compromise.

Affected Versions

All versions of Redis that do not have password authentication enabled via the requirepass directive in the redis.conf configuration file are vulnerable.

Potential Impact

A remote attacker exploiting this vulnerability can:

• Gain unauthorized access to the Redis server.
• Execute arbitrary commands.
• Access, modify, or delete sensitive data.
• Potentially escalate privileges within the network.

---

Solution/Mitigation

To mitigate this vulnerability, you need to secure the Redis server by enabling password authentication.

Step 1: Configure Password Authentication

1. Edit the Redis Configuration File:
   • Locate the redis.conf file, typically found in /etc/redis/ or /etc/redis/redis.conf.
   • Open the file in a text editor with sufficient privileges (e.g., sudo nano /etc/redis/redis.conf).
2. Enable Password Authentication:
   • Find the line that begins with # requirepass (it may be commented out with a #).
   • Uncomment the line and set a strong password:plaintextrequirepass yourStrongPasswordHere
   • Replace yourStrongPasswordHere with a strong, unique password.
3. Save and Close the File:
   • Save the changes to the redis.conf file and close the text editor.
4. Restart the Redis Server:
   • Restart the Redis service to apply the changes:bashsudo systemctl restart redis
   • Alternatively, use the following command if using init.d:bashsudo service redis-server restart

Step 2: Verify the Mitigation

• Check the Redis Server Configuration: Run the following command to confirm the password requirement is enabled:bashredis-cli CONFIG GET requirepass
Ensure the output includes the strong password you set.
• Test Authentication: Use the redis-cli to connect to the Redis server and verify that it prompts for a password:bashredis-cli
AUTH yourStrongPasswordHere
Ensure access is only granted after successful authentication.

Additional Measures

• Firewall Configuration: Ensure the Redis server is not exposed directly to the internet. Restrict access to the Redis port (default 6379) using a firewall or a network security group.
• Network Segmentation: Place the Redis server behind a VPN or on a private network segment that is inaccessible to unauthorized users.
• Monitoring: Enable monitoring to detect any unauthorized access attempts or anomalies in server behavior.

---

Confirmation & Additional Information

• Confirmation Steps: After implementing the changes, regularly monitor Redis server logs for unauthorized access attempts and validate configurations to ensure compliance.
• Stay Updated: Regularly check for Redis updates and apply security patches as they become available.
• Further Reading: Redis AUTH Command Documentation

By implementing these measures, you can significantly reduce the risk associated with the Redis server being unprotected by password authentication.