CVE-2022-0543

What is Redis?

Redis is an open-source, in-memory data structure store widely used as a cache, message broker, and session store. Its Lua scripting capability (via EVAL/EVALSHA commands) allows operators to run server-side scripts atomically. Redis is deployed across millions of web applications, microservices, and cloud workloads — making it a high-value pivot point for attackers.

Overview

CVE-2022-0543 is a Debian- and Ubuntu-specific Lua sandbox escape that allows any Redis client with command execution access to break out of the scripting sandbox and execute arbitrary OS commands on the host. The vulnerability arises from a packaging quirk unique to Debian-derived distributions and carries a CVSS score of 10.0 (network, no auth, scope changed). Active exploitation in the wild prompted CISA to add it to the KEV catalog in March 2022.

Affected Versions

Technical Details

The root cause lies in how Debian packages Redis as a dynamically linked binary against the system liblua5.1 shared library, rather than embedding Lua statically as upstream Redis does. When Redis loads Lua for script execution, the dynamically linked liblua exposes the package global — including package.loadlib() — which is absent in upstream Redis's embedded Lua build.

package.loadlib() allows loading arbitrary shared libraries from the filesystem with loadlib(path, init_func). An attacker can use this to load any .so file and call its exported functions, effectively running arbitrary C code with the privileges of the Redis process.

The exploit pattern:

local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io")
local io = io_l()
io.popen("id"):read("*all")

Prerequisites: The attacker must be able to execute Redis EVAL or EVALSHA commands. This requires either (a) an unauthenticated Redis instance (common — Redis historically shipped with no authentication by default), or (b) a compromised Redis password/ACL entry.

Discovery

The vulnerability was discovered by Reginaldo Silva and disclosed via the Debian bug tracker in February 2022. Debian and Ubuntu issued security advisories and patched packages promptly.

Exploitation Context

Redis instances exposed to the internet without authentication are common. Scanning tools like Shodan regularly index tens of thousands of open Redis instances. Once an attacker finds an open Redis server on a Debian-based system, this vulnerability enables immediate privilege escalation to OS-level code execution with no further steps.

Exploitation chains seen in the wild include:

• Cryptomining malware planted via Redis command injection
• Persistence via authorized_keys writes (a long-standing Redis attack technique)
• Lateral movement using Redis as a springboard into internal networks

Remediation

1. Patch immediately: Update to the patched redis or redis-server package on Debian/Ubuntu via apt update && apt upgrade redis-server.
2. Enable authentication: Set a strong password via requirepass in redis.conf or use Redis ACLs (Redis 6+).
3. Bind to localhost: In redis.conf, set bind 127.0.0.1 to prevent external network access unless required.
4. Use protected mode: Ensure protected-mode yes is set (default in modern Redis; prevents access from non-loopback IPs without authentication).
5. Firewall Redis ports: Restrict access to port 6379 (and 16379 for cluster) via firewall rules to trusted hosts only.
6. Review running processes: If compromise is suspected, check for unauthorized cron jobs, new user accounts, and unfamiliar processes spawned from the Redis user.