Researchers Find Over 6,000 Compromised Redis Installations (riskbasedsecurity.com)

← Back to Stories (view on slashdot.org)

Researchers Find Over 6,000 Compromised Redis Installations (riskbasedsecurity.com)

Posted by EditorDavid on Saturday July 9, 2016 @02:30AM from the open-source-in-memory-data-structure-store dept.

An anonymous Slashdot reader writes: Security researchers have discovered over 6,000 compromised installations of Redis, the open source in-memory data structure server, among the tens of thousands of Redis servers indexed by Shodan. "By default, Redis has no authentication or security mechanism enabled, and any security mechanisms must be implemented by the end user."

The researchers also found 106 different Redis versions compromised, suggesting "there are a lot of Redis installations that are not upgrading to the most recent versions to fix any known security issues." 5,892 infections were linked to the same email address, with two more email addresses that were both linked to more than 200. "The key take away from this research for us has been that insecure default installations continue to be a significant issue, even in 2016."
Redis "is designed to be accessed by trusted clients inside trusted environments," according to its documentation. "This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket... Redis is not optimized for maximum security but for maximum performance and simplicity."

30 comments

Min score:

Reason:

Sort:

Lemme guess... by Anonymous Coward · 2016-07-09 02:39 · Score: 1, Informative

Belonging to outsourced "software engineers" (i.e. copy-pasters) making $3/hr working for Tata or Infosys?
"5,892 infections were linked to the same email address, with two more email addresses that were both linked to more than 200."
1. Re:Lemme guess... by Anonymous Coward · 2016-07-09 03:32 · Score: 1
  
  Most of them belonged to American Ruby on Rails and node.js programmers.
2. Re:Lemme guess... by Anonymous Coward · 2016-07-09 08:28 · Score: 0
  
  fuck off, cuck
RTFM, People! by Zontar+The+Mindless · 2016-07-09 02:51 · Score: 4, Insightful

Redis "is designed to be accessed by trusted clients inside trusted environments," according to its documentation. "This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket..."
What part of "Don't leave this open to the Internet" is not clear?

--
Il n'y a pas de Planet B.
1. Re:RTFM, People! by Anonymous Coward · 2016-07-09 03:05 · Score: 5, Funny
  
  The technical bits written in English.
2. Re:RTFM, People! by Anonymous Coward · 2016-07-09 03:19 · Score: 0
  
  The technical bits written in English.
  ROFLMAO Best response this question is likely to receive.
3. Re:RTFM, People! by OzPeter · 2016-07-09 03:24 · Score: 1, Insightful
  
  FTFY
  
  The bits written in English.
  
  --
  I am Slashdot. Are you Slashdot as well?
4. Re:RTFM, People! by Zontar+The+Mindless · 2016-07-09 03:24 · Score: 1
  
  I (obviously) can't mod this up, but I salute you, Noble Sir|Ma'am|Flipper.
  
  --
  Il n'y a pas de Planet B.
RavenDB, similar problem by Anonymous Coward · 2016-07-09 03:19 · Score: 1

Did some contracting work for a firm that builds software for public transportation. Posting anon because of that. Software uses NServiceBus. They need persistence support for NServiceBus. So that meant that RavenDB got enabled. Suddenly end-customer asks why some port is open and why when they browse to it with a webbrowser they find a website that leaks all sorts of data about travelers and about their billing data.
Response from our project manager: none. He just didn't understand the issue.
I'm sure such horror and daily-wtf stories happen all the times.
1. Re:RavenDB, similar problem by OzPeter · 2016-07-09 03:27 · Score: 1
  
  Response from our project manager: none. He just didn't understand the issue.
  I'm sure such horror and daily-wtf stories happen all the times.
  Sure do. I know of software installed at client sites that has uses the sa account to generate data reports and has the sa password hard coded in plain text on the client machines.
  And yes .. I did raise it as an issue when I saw that .. 4 years ago.
  
  --
  I am Slashdot. Are you Slashdot as well?
2. Re:RavenDB, similar problem by Anonymous Coward · 2016-07-09 03:41 · Score: 3, Interesting
  
  I opened two bugs this week.
  One for a problem that would not affect operations but only display error messages a customer would never see.
  One for a security problem where someone had stored client passwords in plain text in a world readable file.
  Came back the next day and saw that the first one had been assigned a high priority and the second one the lowest possible priority.
  I'm not even surprised.
3. Re:RavenDB, similar problem by Anonymous Coward · 2016-07-09 03:45 · Score: 0
  
  Same, I was the guy raising the issue. Three times. First before I received installation instructions about this RavenDB thing from the other developers (I was release maintainer). My first bug got closed without any action or note. Then a new bug after installation at end-customer. My second bug got closed without any action. And then finally I reopened my two bugs and linked them to the new bug of the end-customer about the open port and the website with data leakage. All three bugs got closed without any action except a meeting request in my Outlook: at that meeting the developers angrily raved to me how great RavenDB is and that it's .NET and this and that. And that this is why the bugs had to be closed. Because RavenDB is great.
  So now the end-customer firewalls the port (because the responsible for software at end customer isn't completely stupid). And there is a new bug about replication and backup of RavebDB not working because of the firewall setting (apparently RavenDB uses the same port for that).
  I BTW quit that contract a few months later. Indeed. Not just because of this.
It's not done when it works by Anonymous Coward · 2016-07-09 03:35 · Score: 1

This is a systemic problem in development, and not just in the software world. Quite often it is difficult to explain the necessity of additional work when the prototype works. Security is invisible, so under tight resource constraints it is the first to get dropped. You can see the same problem in all sorts of tutorials on the web: Almost every tutorial stops once the desired functionality is achieved. It is also important to disable or block off "undesired functionality", yet that part is rarely found in tutorials.
1. Re:It's not done when it works by Jeremiah+Cornelius · 2016-07-09 04:38 · Score: 1
  
  Yes.
  After 20 years involved as a security "pro" for all aspects of operations and development tools support - I concur that the difference between the security mindset and that of other engineering types is a curiosity beyond use cases.
  I refer to these snidely, but in earnest, as the "abuse cases".
  
  --
  "Flyin' in just a sweet place,
  Never been known to fail..."
2. Re:It's not done when it works by Anonymous Coward · 2016-07-09 05:45 · Score: 1
  
  The problem - as so often - is a failing management system. Managers still think that computers are essentially a play box for developers, and they hate the though of someone playing with their money. So on first sight of an apparently working system they yell "all stop and don't move until we tell you to!" while before that moment they constantly shout "show me this works! remember, it just needs to (appear to) work, not bells and whistles, no need to dot the i's and cross the t's! this is not a beauty contest!".
3. Re:It's not done when it works by Plus1Entropy · 2016-07-09 12:54 · Score: 1
  
  It is also important to disable or block off "undesired functionality", yet that part is rarely found in tutorials.
  I often find that when security is discussed the conversation follows the tack of "Well, could someone achieve anything malicious with this functionality?" The implication being that if the answer is "No", then there's no reason to block the access.
  To me, this seems totally backwards. The correct tack would be "Does the system require this functionality to work?" If the answer is "No", then it should always be blocked, even if we can't come up with some way it could be used maliciously.
  
  --
  Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
Excellent info /. thank you by execthis · 2016-07-09 04:00 · Score: 2

Thank you for this information. I've seen several how-to guides on setting up Redis in various environments but did not come across this stark warning in any of them!
Why why why by JustAnotherOldGuy · 2016-07-09 04:05 · Score: 1

""By default, Redis has no authentication or security mechanism enabled..."
Why? Why in the world would you make this the default?

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:Why why why by Anonymous Coward · 2016-07-09 04:15 · Score: 0
  
  Which part of "by design" you don't understand? If you want or need authentication, make up your own or don't use redis. It's as simple as that.
  Or do you also think that the CAP theorem is bullshit?
2. Re:Why why why by Anonymous Coward · 2016-07-09 04:38 · Score: 0
  
  Web 3.0 retards who make these projects don't know how to write secure code.
3. Re:Why why why by Desler · 2016-07-09 05:13 · Score: 1
  
  Which part of "That's a really fucking stupid design decision" do you not understand? Also, the CAP theorem has nothing to do with security. The two are not mutually exclauvie as you try to imply.
4. Re:Why why why by Anonymous Coward · 2016-07-09 05:24 · Score: 1
  
  So then LibreOffice's decision not to password protect and encrypt documents by default is also a really fucking stupid decision. Or... tar. Or gz. Or .
  You two seem to fail to understand what a "design decision" means and that software is designed to be optimal for SOME use cases, not ALL.
5. Re:Why why why by Anonymous Coward · 2016-07-09 05:41 · Score: 0
  
  Or if you want to pull a strawman and say LibreOffice is not a database daemon, let's see what PostgreSQL does. It supports authentication and connection encryption. Except, even PostgreSQL devs don't recommend leaving it wide open to public internet. I wonder why. I'm going out on a limb here and hazard a guess it has something to do with that not being the core functionality of Postgres and there being plenty of methods outside of it that I can protect the database with.
  It would be very stupid fucking design decision if Postgres wasted valuable developer time and efforts to implement a security kitchen sink around it. Because indeed, without that, there's no fucking way to properly secure your databases. Nope, none.
6. Re:Why why why by Anonymous Coward · 2016-07-09 05:48 · Score: 0
  
  http://redis.io/topics/security
  it's right there, at the top. This document is linked from the Administration section of the documentation. If you consider yourself a professional surely you would be interested to read that. Or at least ask yourself "I wonder how this is secured?" and then look for information on that. Right?
7. Re:Why why why by Dog-Cow · 2016-07-09 23:54 · Score: 1
  
  PostgreSQL supports SSL-based authentication out of the box. True, the actual configuration is up to the admin, but I have no idea what you're going on about them not including security stuff.
SSH tunnel by packrat0x · 2016-07-09 09:38 · Score: 1

Okay, I'll stick my neck out. Why can't the redis port be tunneled through ssh?

--
227-3517
What the **** is Redis? by Anonymous Coward · 2016-07-09 10:48 · Score: 0

This is the first time I've heard of Redis. Would it have killed you to include a short description in the summary?
From google:

Redis is an open source (BSD licensed), in-memory data structure store, used as database, cache and message broker.
Check 3.2 protected mode by antirez9418 · 2016-07-12 22:31 · Score: 1

@antirez of Redis here. The original idea was to stick to this original model of "care about your setup", but given the disaster of exposed Redis instances, since Redis 3.2 version, now Redis has a "protected mode" feature that basically means that when the server detects to be: 1) configured to listen to all interfaces. 2) Without any password set, it enters a special setup where connections from localhost works, but connection from external interfaces are accepted only to be served with a fixed reply "This is protected mode bla bla bla make sure you understand that this instance is not secure". The long message includes instructions on how to fix the setup ASAP in different ways (both secure and insecure ways) in order to re-allow access from external clients. So this should improve in the next months as people upgrade.