HIGH: Open Redis Report

DESCRIPTION LAST UPDATED: 2024-06-26

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that have the Redis key-value store running and accessible (without authentication) on the Internet.

See redis.io for more information on Redis, which states:

Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.

Instances that are exposed on the Internet without any authentication/access controls are trivial to attack.

This report ONLY contains instances that do NOT have any authentication in place.

In addition, Redis has also had a number of vulnerabilities associated with it and has been targeted by malware like P2Pinfect that has exploited CVE-2022-0543. This is a (Debian-specific) Lua sandbox escape that can result in command execution. See the blog post by Cado Security for more details. This vulnerability is also in the CISA Known Exploited Vulnerabilities (KEV) catalog. We do NOT tag for this vulnerability, as it only affects Debian derived instances, which we cannot determine remotely.

You can track latest Redis (no authentication) exposure on our Dashboard.

If you receive a report, assume compromise of your instance.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filename: scan_redis

Fields

timestamp

Time that the IP was probed in UTC+0
severity

Severity level
ip

The IP address of the device in question
protocol

Protocol that the Redis response came on (always TCP)
port

Port that the Redis response came from (usually 6379/TCP)
hostname

Reverse DNS name of the device in question
tag

Will always be redis
version

Redis version number
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
naics

North American Industry Classification System Code
hostname_source

Hostname source
git_sha1

Git SHA1 value
git_dirty_flag

Git "dirty" flag
build_id

The redis_build_id
mode

The redis_mode (standalone or clustered)
os

Operating System hosting the Redis server
architecture

The "arch_bits" architecture (32 or 64 bits)
multiplexing_api

Event loop mechanism used by Redis
gcc_version

Version of the GCC compiler used to compile the Redis server
process_id

Process ID (PID) of the running Redis server instance
run_id

Random value identifying the Redis server
uptime

Number of seconds since Redis server start
connected_clients

The number of client connections to the Redis server
sector

Sector the IP belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","hostname_source","git_sha1","git_dirty_flag","build_id","mode","os","architecture","multiplexing_api","gcc_version","process_id","run_id","uptime","connected_clients","sector"
"2010-02-10 00:00:00",high,192.168.0.1,tcp,6379,node01.example.com,redis,7.2.3,64512,ZZ,Region,City,0,ptr,00000000,0,26f7443749f1b9a6,standalone,"Linux 5.4.0-122-generic x86_64",,epoll,12.2.1,1,e188eede10e629718b4650a0ace83b7766b0e4e9,643889,8,
"2010-02-10 00:00:01",high,192.168.0.2,tcp,6379,node02.example.com,redis,7.0.11,64512,ZZ,Region,City,0,ptr,00000000,0,3af367a78d5e21e9,standalone,"Linux 5.19.0-1025-aws x86_64",,epoll,11.3.0,413436,23844e73d07cdd65ca4ed069370278406ee8ea53,8926464,2,"Retail Trade"
"2010-02-10 00:00:02",high,192.168.0.3,tcp,6379,node03.example.com,redis,6.2.10,64512,ZZ,Region,City,0,,00000000,0,8317b5833f3f63c1,standalone,"Linux 5.15.0-56-generic x86_64",,epoll,10.2.1,1,341f56895e4867f1ecef5b7c8cf655e07e38737a,23961641,1,"Communications, Service Provider, and Hosting Service"

Our 131 Report Types

« Back to Network Reporting