Subject: Redis Server Unprotected by Password Authentication
Tech Stack: Redis
Date(s) Issued:
Criticality:
The critical misconfiguration concerns a Redis server that is not protected by password authentication. Redis, an in-memory data structure store, is used as a database, cache, and message broker. The absence of password protection on the Redis server allows unauthorized remote attackers to gain full access to the server, potentially leading to data breaches, unauthorized data manipulation, or even full server compromise.
All versions of Redis that do not have password authentication enabled via the requirepass
directive in the redis.conf
configuration file are vulnerable.
A remote attacker exploiting this vulnerability can:
To mitigate this vulnerability, you need to secure the Redis server by enabling password authentication.
Edit the Redis Configuration File:
redis.conf
file, typically found in /etc/redis/
or /etc/redis/redis.conf
.sudo nano /etc/redis/redis.conf
).Enable Password Authentication:
# requirepass
(it may be commented out with a #
).requirepass yourStrongPasswordHere
yourStrongPasswordHere
with a strong, unique password.Save and Close the File:
redis.conf
file and close the text editor.Restart the Redis Server:
sudo systemctl restart redis
init.d
:
sudo service redis-server restart
Check the Redis Server Configuration: Run the following command to confirm the password requirement is enabled:
redis-cli CONFIG GET requirepass
Ensure the output includes the strong password you set.
Test Authentication: Use the redis-cli
to connect to the Redis server and verify that it prompts for a password:
redis-cli
AUTH yourStrongPasswordHere
Ensure access is only granted after successful authentication.
By implementing these measures, you can significantly reduce the risk associated with the Redis server being unprotected by password authentication.