Redis on Debian: Two critical vulnerabilities (CVE-2025-67733 & CVE-2026-21863) can lead to data tampering and DoS. This guide shows how to check your exposure, apply the fix, and implement long-term hardening. Plus, a bonus bash script to automate the upgrade and practical mitigation steps for when you can’t update right away. Learn to stop chasing patches and start dissecting the malware that exploits them.
The Vulnerabilities: What Happened and Why It Matters
In early 2026, Debian issued a security advisory (DSA-6279-1) for Redis, revealing two high-severity vulnerabilities that could affect your data integrity and service availability.
CVE-2025-67733: A flaw in Redis’s Lua scripting error path allowed authenticated users to inject CR/LF byte sequences into error replies, effectively hijacking the RESP protocol and tampering with unrelated data on the same connection.
CVE-2026-21863: The Redis cluster bus packet validation was insufficient. An attacker with access to the cluster bus port could send a malformed PING/PONG message, causing an out-of-bounds read that crashes the server.
The fixed versions are 7.2.12, 8.0.7, 8.1.6, and 9.0.2.
How to Check if You Are Vulnerable (Debian)
Run these commands on your Debian server to see your Redis version and determine if you are exposed.
# Check your Redis server version redis-server --version # Check the installed package version (Debian/Ubuntu) dpkg -l | grep redis-server # For a more detailed check, connect to Redis and query the version redis-cli INFO server | grep redis_version
If the version is lower than one of the fixed ones listed above, your system is vulnerable.
Automation Script to Apply the Fix
Here is a ready-to-use Bash script to update Redis to the latest secure version on your Debian system. Always backup your data before running system updates.
#!/bin/bash # Redis Security Patch Automation Script # Run with: sudo bash redis_security_update.sh set -e # Define colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' # No Color # Function to log messages log_message() { echo -e "${GREEN}[INFO]${NC} $1" } error_message() { echo -e "${RED}[ERROR]${NC} $1" } warning_message() { echo -e "${YELLOW}[WARNING]${NC} $1" } # Check if script is run as root if [[ $EUID -ne 0 ]]; then error_message "This script must be run as root. Use sudo." exit 1 fi log_message "Starting Redis security update process..." # Create a backup directory BACKUP_DIR="/root/redis_backup_$(date +%Y%m%d_%H%M%S)" mkdir -p $BACKUP_DIR log_message "Created backup directory: $BACKUP_DIR" # Backup Redis configuration and data if [ -f /etc/redis/redis.conf ]; then cp /etc/redis/redis.conf $BACKUP_DIR/ log_message "Redis configuration backed up." else warning_message "redis.conf not found at /etc/redis/redis.conf" fi # Check if Redis is running and save data if systemctl is-active --quiet redis-server; then redis-cli SAVE log_message "Manual SAVE command executed." # Copy RDB and AOF files if they exist [ -f /var/lib/redis/dump.rdb ] && cp /var/lib/redis/dump.rdb $BACKUP_DIR/ [ -f /var/lib/redis/appendonly.aof ] && cp /var/lib/redis/appendonly.aof $BACKUP_DIR/ log_message "Redis data files backed up." else warning_message "Redis service is not running. Skipping data backup." fi # Update package lists log_message "Updating package lists..." apt update # Check current version before upgrade CURRENT_VERSION=$(redis-server --version 2>&1 | awk -F'=' '{print $2}' | awk '{print $1}') log_message "Current Redis version: $CURRENT_VERSION" # Perform the upgrade log_message "Upgrading Redis packages..." apt install --only-upgrade redis-server -y # Check upgrade result NEW_VERSION=$(redis-server --version 2>&1 | awk -F'=' '{print $2}' | awk '{print $1}') if [ "$CURRENT_VERSION" != "$NEW_VERSION" ]; then log_message "Redis upgraded successfully from $CURRENT_VERSION to $NEW_VERSION" else warning_message "Redis version unchanged. Checking available updates..." apt-cache policy redis-server fi # Restart Redis service log_message "Restarting Redis service..." systemctl restart redis-server # Wait for service to be fully up sleep 3 # Verify service status if systemctl is-active --quiet redis-server; then log_message "Redis service is running and active." else error_message "Redis service failed to start. Check logs with: journalctl -u redis-server" exit 1 fi # Verify Redis responds to commands if redis-cli PING | grep -q "PONG"; then log_message "Redis is responding correctly to commands." else error_message "Redis is not responding to PING command." exit 1 fi log_message "Redis security update completed successfully!" echo "----------------------------------------" echo "Backup location: $BACKUP_DIR" echo "To restore data if needed: sudo systemctl stop redis-server && cp $BACKUP_DIR/* /var/lib/redis/ && sudo systemctl start redis-server"
Do you want to understand how to create scripts like this for any future CVE, instead of just copy-pasting fixes? That’s where Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly comes in.
This script fixes a single CVE. That book teaches you to build tools to analyze any binary, find the root cause, and fix vulnerabilities you’ve never even seen before. The official book from No Starch Press is available here on Amazon .
Pratical Binary Analysis (adversiting))-> https://amzn.to/4ukcDrO
A patch fixes a hole. But real attackers don’t just send malformed packets—they deliver malware that exploits the flaw, persists on your system, evades detection, and phones home. To truly win, you need to understand both sides of the equation. Practical Malware Analysis:
The Hands-On Guide to Dissecting Malicious Software (No Starch Press) is your definitive guide to reverse-engineering the malware that exploits these holes. Get it here on Amazon .
Pratical Malware Analysis -> (adversitibg) -> https://amzn.to/3Rigx5N
I earn a comission with you make a purchase .
Alternative Mitigation If You Can’t Update Now
If you cannot patch immediately, here are three practical layers of defense to implement right now.
Disable or restrict Lua scripting entirely. The simplest and most effective workaround is to prevent users from executing Lua scripts. Use Redis ACLs to block the EVAL, EVALSHA, and FUNCTION commands. Connect to your Redis CLI and run:
# Create a user with no script execution permissions ACL SETUSER restricted_user on >password_here +@all -EVAL -EVALSHA -FUNCTION -FCALL # For existing default user, disable dangerous commands ACL SETUSER default -EVAL -EVALSHA -FUNCTION -FCALL
If your Redis version does not support ACLs (pre-6.0), you can rename the dangerous commands in redis.conf:
rename-command EVAL "" rename-command EVALSHA "" rename-command FCALL ""
Harden the cluster bus port (CVE-2026-21863 mitigation). The second vulnerability requires access to the cluster bus port (typically port 16379). Protect it aggressively with iptables. For example, to allow access only from your known application servers (replace 192.168.1.100 and 192.168.1.101 with your actual IPs):
# Flush existing rules for port 16379 iptables -D INPUT -p tcp --dport 16379 -j ACCEPT 2>/dev/null # Allow only trusted IPs iptables -A INPUT -p tcp -s 192.168.1.100 --dport 16379 -j ACCEPT iptables -A INPUT -p tcp -s 192.168.1.101 --dport 16379 -j ACCEPT # Drop everything else iptables -A INPUT -p tcp --dport 16379 -j DROP
Enable basic AppArmor confinement. While not a complete fix, an AppArmor profile restricts what Redis can do if compromised. On Debian, you can enforce a basic profile:
sudo apt install apparmor-profiles-extra sudo aa-enforce /usr/sbin/redis-server
This layered approach—patching first, then ACLs, then network isolation, and finally MAC—gives you robust defense-in-depth.
Conclusion: Take Action Now
Don’t wait for the next advisory to catch you off guard. Here is your immediate checklist:
1. Run the version check to see if your Redis servers are vulnerable.
2. Download and execute the automation script to apply the fix.
3; If you can’t patch today, implement the mitigation steps above.
4. Level up your security skills by grabbing Practical Binary Analysis and Practical Malware Analysis from No Starch Press on Amazon. The small investment in knowledge will pay dividends for years to come.
Nenhum comentário:
Postar um comentário