// For flags

CVE-2021-32761

Integer overflow issues with *BIT commands on 32-bit systems

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves changing the default `proto-max-bulk-len` configuration parameter to a very large value and constructing specially crafted commands bit commands. This problem only affects Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0.`3m 6.0.15, and 6.2.5 contain patches for this issue. An additional workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

Redis es una base de datos en memoria que persiste en el disco. Se presenta una vulnerabilidad que implica una lectura fuera de límites y el desbordamiento de enteros a desbordamiento de búfer a partir de la versión 2.2 y anterior a las versiones 5.0.13, 6.0.15 y 6.2.5. En los sistemas de 32 bits, el comando "*BIT*" de Redis es vulnerable al desbordamiento de enteros que puede ser potencialmente explotado para corromper la pila, filtrar contenidos arbitrarios de pila o desencadenar una ejecución de código remota . La vulnerabilidad implica cambiar el parámetro de configuración "proto-max-bulk-len" predeterminado a un valor muy grande y construir comandos de bits especialmente diseñados. Este problema sólo afecta a Redis en plataformas de 32 bits, o compilado como un binario de 32 bits. Redis versiones 5.0.3m 6.0.15, y 6.2.5 contienen parches para este problema. Una solución adicional para mitigar el problema sin parchear el ejecutable "redis-server" es prevenir que usuarios modifiquen el parámetro de configuración "proto-max-bulk-len". Esto puede hacerse usando ACL para restringir a usuarios sin privilegios de usar el comando CONFIG SET

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-05-12 CVE Reserved
  • 2021-07-21 CVE Published
  • 2023-12-07 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-125: Out-of-bounds Read
  • CWE-190: Integer Overflow or Wraparound
  • CWE-680: Integer Overflow to Buffer Overflow
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Redislabs
Search vendor "Redislabs"
Redis
Search vendor "Redislabs" for product "Redis"
>= 2.2.0 < 5.0.13
Search vendor "Redislabs" for product "Redis" and version " >= 2.2.0 < 5.0.13"
-
Affected
Redislabs
Search vendor "Redislabs"
Redis
Search vendor "Redislabs" for product "Redis"
>= 6.0 < 6.0.15
Search vendor "Redislabs" for product "Redis" and version " >= 6.0 < 6.0.15"
-
Affected
Redislabs
Search vendor "Redislabs"
Redis
Search vendor "Redislabs" for product "Redis"
>= 6.2.0 < 6.2.5
Search vendor "Redislabs" for product "Redis" and version " >= 6.2.0 < 6.2.5"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
11.0
Search vendor "Debian" for product "Debian Linux" and version "11.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
33
Search vendor "Fedoraproject" for product "Fedora" and version "33"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected