In the proof-of-concept attack demonstrated by Wiz, the attackers exploit this vulnerability to start a reverse shell that allows them to execute additional commands. This can lead to credential theft from the environment, such as SSH keys, AWS IAM tokens, and certificates. It can also lead to malware and cryptominer deployment.
Lack of Redis authentication is a widespread issue
While Redis supports authentication, it is often deployed without it, especially on internal networks, but also on the internet. For example, the Wiz researchers note that in 57% of cloud environments, Redis is deployed as a container image and the official Redis container on Docker Hub does not have authentication enabled by default.
“The combination of no authentication and exposure to the internet is highly dangerous, allowing anyone to query the Redis instance and, specifically, send Lua scripts (which are enabled by default),” the researchers note. “This enables attackers to exploit the vulnerability and achieve RCE within the environment.”
