edit-icon download-icon

Redis CSRF vulnerability analysis

Last Updated: Jun 09, 2018

CSRF introduction

CSRF (Cross-site Request Forgery), also known as One Click Attack or Session Riding, usually abbreviated as CSRF or XSRF, is a form of malicious website use.

CSRF

The preceding figure shows a simple model of CSRF attacks. A user visits the malicious Website B; malicious Website B returns an HTTP message to the user, asking the user to visit Website A. The access request is executed if the user has set Website A as a trusted website as if the user sent the request on his/her own.

Redis CSRF attack model

redis csrf

Based on the preceding principle of CSRF, malicious websites may make a user send an HTTP request to Redis. Because Redis supports text protocols, and does not break off the connection in the case of illegal protocols during protocol resolution. The attacker can then add a Redis command after the normal HTTP request to run the command on Redis. If the user and Redis do not use a password for verification, the Redis command is executed normally and encrypt data to extort money, exactly like the earlier MongoDB ransom incident.

Repair the kernel

The author of Redis fixed the problem in Redis version 3.2.7, implementing special processing for the POST and Host: keywords, logging the events, and disconnecting to avoid execution of subsequent illegal requests to Redis.

Redis security risks

Earlier, Redis exposed a security vulnerability that hackers may get the root permission of Redis services under certain conditions. The causes of these security vulnerabilities can be primarily attributed to users’ lack of understanding of Redis’s security mechanisms, lack of Redis O&M experience, and insufficient use of the security protection mechanisms offered by Redis. ApsaraDB for Redis provides securer Redis services. We recommend ApsaraDB for Redis for your on-cloud Redis services.

ApsaraDB for Redis security code

Intranet access to avoid Internet access

By default, ApsaraDB for Redis only provides trusted intranet access. You are not allowed to access ApsaraDB for Redis by the Internet.

Physical network isolation

ApsaraDB for Redis’s physical network and user network are physically isolated. Users’ virtual machines are not allowed to directly access the backend physical machine network.

VPC network isolation

If you are an Alibaba Cloud user using the VPC network, only the services in the same VPC are inter-accessible.

Whitelist

ApsaraDB for Redis supports whitelist settings. You can set a whitelist for allowed IP addresses in the console.

Password access

ApsaraDB for Redis enforces password authentication for instances in the classic network. You can set a complex password to prevent it from being cracked.

Access permission isolation

Each backend instance of ApsaraDB for Redis is isolated in the ACL and accessible directory. Each instance is only allowed to access the path of its own so that inter-instance interference can be avoided.

Dangerous commands forbidden

ApsaraDB for Redis forbids some dangerous system management commands such as config and save. If you want to modify this parameter, you must pass the secondary authentication in the console. This also avoids direct operations on the backend configuration files and management commands.

Security monitoring

ApsaraDB for Redis has a complete security monitoring system for physical machines. It regularly scans and updates the security monitoring policies to discover security risks as soon as possible.

Redis cluster password

Native Redis 3.0 cluster version does not support password verification. ApsaraDB for Redis cluster version supports password verification, which improves security.

Thank you! We've received your feedback.