Open Redis Instance Without Authentication

Quick Summary

Open Redis Instance Without Authentication is a critical misconfiguration where the Redis database service is exposed without requiring authentication. An unauthenticated Redis instance may allow attackers to read, modify, or delete data, execute system-level actions, or gain remote code execution under certain configurations.

Vulnerability Classification

FieldValue
Vulnerability TypeDatabase Service Misconfiguration
CWE IDCWE-306 – Missing Authentication for Critical Function
CVE IDN/A (Configuration Issue)
CVSS 4.0 Base Score9.2 (Critical)
CVSS VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H
OWASP CategoryA05:2021 – Security Misconfiguration
Attack SurfaceInternal / External Network

Affected Asset / Environment

  • Service: Redis
  • Default Port: 6379
  • Platforms: Linux Servers, Cloud Instances, Containers
  • Testing Method: Black-box / Internal Assessment
  • Tools Used: Nmap, redis-cli, Netcat

Description

The assessor observed that the Redis service running on the target system is accessible without requiring authentication. During testing, it was possible to connect to the Redis instance and execute commands without providing credentials.

Redis is an in-memory data store commonly used for caching, session storage, and message brokering. When authentication is not enforced, attackers may retrieve sensitive application data, manipulate stored values, or modify server configuration.

In certain scenarios, attackers may exploit Redis misconfigurations to write arbitrary files to the file system, potentially leading to remote code execution.

Root Cause

The issue occurs due to improper Redis configuration where authentication is not enabled.

Common root causes include:

  • requirepass not configured in redis.conf
  • Redis bound to all interfaces (0.0.0.0)
  • Firewall restrictions not implemented
  • Lack of secure deployment baseline
  • Default configuration used in production

Business Impact

Exploitation of this vulnerability may allow attackers to access sensitive application data, including session tokens, cached credentials, and configuration information.

Attackers may also modify stored data, disrupt application functionality, or delete critical cache entries, causing service outages.

In severe cases, exploitation may lead to remote code execution and complete server compromise.

Technical Impact

An attacker can:

  • Connect to Redis without authentication
  • Retrieve stored keys and values
  • Modify or delete application data
  • Flush entire databases
  • Change configuration parameters
  • Attempt file-write exploitation under specific conditions

This significantly increases the risk of data exposure and system compromise.

Proof of Concept (PoC)

Step1: Identify Redis Service

nmap -sV -p 6379 <target-ip>

If port 6379 is open and service is identified as Redis, proceed to validation.

Step2: Attempt Direct Connection

redis-cli -h <target-ip>

If connection is established without authentication prompt, the service may be vulnerable.

Step3: Test Basic Command Execution

Inside Redis session:

PING

If response returns:

PONG

Authentication is not enforced.

Step4: Enumerate Keys

KEYS *

If keys are returned without authentication, sensitive data may be exposed.

Step5: Validate Data Access

GET <key-name>

If stored data is retrieved successfully, unauthorized access is confirmed.

Exploitation Prerequisites

  • Network access to port 6379
  • Redis service running
  • No authentication configured
  • Firewall not restricting access

Remediation

It is recommended that authentication and network restrictions be enforced on Redis services.

Recommended actions:

  • Configure strong password using requirepass directive
  • Bind Redis to localhost or trusted internal IP addresses
  • Restrict port 6379 using firewall rules
  • Enable protected mode
  • Avoid exposing Redis to public internet
  • Regularly audit Redis configuration

After applying changes, restart the Redis service and verify authentication enforcement.

Detection and Monitoring

  • Monitor Redis logs for unauthorized access attempts
  • Alert on external connections to port 6379
  • Conduct periodic port scans
  • Implement network segmentation for database services

Tags

Open Redis Instance
Port 6379 Vulnerability
Unauthenticated Database Access
Redis Misconfiguration
Critical Network Exposure
PentestHint Vulnerability Database

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *