CVE-2021-32672 Overview
CVE-2021-32672 is an out-of-bounds read vulnerability affecting Redis, the popular open-source in-memory database. The vulnerability exists in the Redis Lua Debugger component, where malformed requests can cause the debugger's protocol parser to read data beyond the actual buffer boundaries. This memory safety issue affects all Redis versions with Lua debugging support, specifically versions 3.2 and newer.
Critical Impact
Authenticated attackers with access to the Redis Lua Debugger can trigger an out-of-bounds read condition, potentially exposing sensitive memory contents and leading to information disclosure.
Affected Products
- Redis versions 3.2 to 5.0.13
- Redis versions 6.0.0 to 6.0.15
- Redis versions 6.2.0 to 6.2.5
- Red Hat Software Collections
- Red Hat Enterprise Linux 8.0
- Debian Linux 10.0 and 11.0
- Fedora 33, 34, and 35
- NetApp Management Services for Element Software
- NetApp Management Services for NetApp HCI
- Oracle Communications Operations Monitor 4.3, 4.4, and 5.0
Discovery Timeline
- October 4, 2021 - CVE-2021-32672 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-32672
Vulnerability Analysis
This vulnerability stems from improper bounds checking in the ldbReplParseCommand function within Redis's Lua debugging subsystem. When the Lua debugger is enabled and processing incoming debugging commands, the protocol parser fails to properly validate the length of incoming data before reading it into memory. This allows an authenticated attacker to craft malicious requests that cause the parser to read beyond the allocated buffer, potentially exposing adjacent memory contents.
The vulnerability requires an attacker to have authenticated access to a Redis instance with Lua debugging enabled. While the attack vector is network-based with low complexity, the impact is limited to confidentiality as the vulnerability only allows reading of memory contents without providing write capabilities or code execution.
Root Cause
The root cause lies in insufficient input validation within the Lua debugger's protocol parsing logic. The ldbReplParseCommand function in src/scripting.c did not properly verify that incoming command data fit within the expected buffer boundaries before processing. This oversight allowed specially crafted requests to trigger reads past the end of the allocated buffer memory.
Attack Vector
An attacker must first establish an authenticated connection to a Redis instance that has Lua debugging enabled. By sending a malformed debugging command with manipulated length fields or unexpected data structures, the attacker can force the protocol parser to attempt reading data beyond the allocated buffer. This out-of-bounds read can leak sensitive information from Redis's process memory, potentially including cached data, internal structures, or other sensitive information residing in adjacent memory regions.
/* Expect a valid multi-bulk command in the debugging client query buffer.
* On success the command is parsed and returned as an array of SDS strings,
* otherwise NULL is returned and there is to read more buffer. */
-sds *ldbReplParseCommand(int *argcp) {
+sds *ldbReplParseCommand(int *argcp, char** err) {
+ static char* protocol_error = "protocol error";
sds *argv = NULL;
int argc = 0;
if (sdslen(ldb.cbuf) == 0) return NULL;
Source: GitHub Redis Commit
Detection Methods for CVE-2021-32672
Indicators of Compromise
- Unusual debugging commands or malformed protocol requests observed in Redis logs
- Unexpected memory access patterns or segmentation fault errors in Redis process
- Anomalous network traffic patterns targeting Redis debugging ports
- Evidence of Lua debugger sessions from unauthorized or unexpected sources
Detection Strategies
- Monitor Redis logs for debugging session activity and unusual error patterns related to protocol parsing
- Implement network intrusion detection rules to identify malformed Redis debugging protocol traffic
- Deploy runtime application monitoring to detect out-of-bounds memory access attempts
- Conduct regular vulnerability scanning to identify unpatched Redis instances in your environment
Monitoring Recommendations
- Enable verbose logging for Redis Lua debugger operations to capture potential exploitation attempts
- Configure alerts for unexpected Redis debugging sessions or connections from untrusted networks
- Implement memory monitoring tools to detect abnormal memory access patterns in Redis processes
- Review authentication logs for Redis instances to identify potential unauthorized access
How to Mitigate CVE-2021-32672
Immediate Actions Required
- Upgrade Redis to patched versions: 6.2.6, 6.0.16, or 5.0.14
- Disable Lua debugging functionality if not required in production environments
- Restrict network access to Redis instances using firewall rules and access controls
- Ensure Redis authentication is properly configured and enforced
Patch Information
Redis has released security patches addressing this vulnerability. The fix adds proper error handling and bounds checking to the ldbReplParseCommand function, introducing an error parameter to properly report protocol parsing errors. The patched versions are:
- Redis 6.2.6 for the 6.2.x branch
- Redis 6.0.16 for the 6.0.x branch
- Redis 5.0.14 for the 5.0.x branch
Refer to the GitHub Security Advisory for detailed information. Additional vendor advisories are available from Debian Security Advisory DSA-5001, NetApp Security Advisory, and Oracle Security Alert.
Workarounds
- Disable Lua debugging by ensuring the DEBUG command is restricted or disabled in production
- Use Redis ACLs to prevent unauthorized users from accessing debugging functionality
- Deploy Redis behind network segmentation to limit exposure to trusted internal networks only
- Configure Redis bind directive to restrict listening interfaces and prevent external access
# Configuration example - Restrict Redis access and disable dangerous commands
# In redis.conf:
bind 127.0.0.1 ::1
protected-mode yes
requirepass <strong_password_here>
# Use ACLs to restrict debugging commands (Redis 6.0+)
# ACL rule to deny DEBUG command access
user default -DEBUG
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
