CVE-2024-25116 in RedisBloominfo

Summary

by MITRE • 04/09/2024

RedisBloom adds a set of probabilistic data structures to Redis. Starting in version 2.0.0 and prior to version 2.4.7 and 2.6.10, authenticated users can use the `CF.RESERVE` command to trigger a runtime assertion and termination of the Redis server process. The problem is fixed in RedisBloom 2.4.7 and 2.6.10.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/09/2024

The vulnerability identified as CVE-2024-25116 affects RedisBloom, a module that extends Redis with probabilistic data structures such as Bloom filters and Cuckoo filters. This issue represents a critical denial of service condition that can be exploited by authenticated users who possess valid credentials to interact with the Redis instance. The vulnerability specifically resides within the CF.RESERVE command implementation, which is used to initialize Cuckoo Filter data structures within the Redis environment. The flaw manifests when the command processes certain parameter combinations that lead to an assertion failure within the Redis server runtime.

The technical root cause of this vulnerability stems from inadequate input validation and parameter handling within the CF.RESERVE command implementation. When an authenticated user submits crafted parameters to this command, the system fails to properly validate the input values before processing them, resulting in a runtime assertion that terminates the Redis server process. This behavior aligns with CWE-617, which describes reachable assertions that can be triggered by external inputs, and represents a classic example of an uncontrolled resource consumption vulnerability. The assertion failure occurs during the initialization phase of the Cuckoo Filter structure, where the system attempts to validate memory allocation parameters or internal data structure constraints that are not properly sanitized.

The operational impact of this vulnerability extends beyond simple service disruption as it can be leveraged for more sophisticated attacks within the Redis ecosystem. An attacker with valid authentication credentials can repeatedly trigger this assertion failure, causing the Redis server to crash and restart continuously, effectively creating a persistent denial of service condition. This vulnerability is particularly concerning because Redis instances often serve as critical components in distributed systems, caching layers, and data processing pipelines where availability is paramount. The attack vector requires only authentication access, making it accessible to insiders or compromised accounts, and the impact can cascade through dependent services that rely on Redis for operations.

Mitigation strategies for CVE-2024-25116 should prioritize immediate patching of affected RedisBloom versions, specifically upgrading to 2.4.7 or 2.6.10 releases that contain the necessary fixes. Organizations should also implement network segmentation and access controls to limit the exposure of Redis instances to unauthorized users, following ATT&CK technique T1071.004 for application layer protocol usage. Additional defensive measures include implementing robust monitoring and alerting systems to detect unusual patterns of Redis server restarts or assertion failures, which can serve as early indicators of exploitation attempts. Network-level controls such as firewall rules that restrict access to Redis ports from trusted sources only, combined with regular security audits of Redis configurations, can provide additional layers of protection. The fix implemented in the patched versions addresses the core validation issue by properly sanitizing input parameters before they are processed, preventing the assertion failure from occurring during normal operational conditions.

Responsible

GitHub, Inc.

Reservation

02/05/2024

Disclosure

04/09/2024

Moderation

accepted

CPE

ready

EPSS

0.00198

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!