HIGH: Open Redis Report

DESCRIPTION LAST UPDATED: 2024-06-26

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that have the Redis key-value store running and accessible (without authentication) on the Internet.

See redis.io for more information on Redis, which states:

Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.

Instances that are exposed on the Internet without any authentication/access controls are trivial to attack.

This report ONLY contains instances that do NOT have any authentication in place.

In addition, Redis has also had a number of vulnerabilities associated with it and has been targeted by malware like P2Pinfect that has exploited CVE-2022-0543. This is a (Debian-specific) Lua sandbox escape that can result in command execution. See the blog post by Cado Security for more details.  This vulnerability is also in the CISA Known Exploited Vulnerabilities (KEV) catalog. We do NOT tag for this vulnerability, as it only affects Debian derived instances, which we cannot determine remotely.

You can track latest Redis (no authentication) exposure on our Dashboard.

If you receive a report, assume compromise of your instance.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filename: scan_redis

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the Redis response came on (always TCP)
  • port
    Port that the Redis response came from (usually 6379/TCP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will always be redis
  • version
    Redis version number
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • git_sha1
    Git SHA1 value
  • git_dirty_flag
    Git "dirty" flag
  • build_id
    The redis_build_id
  • mode
    The redis_mode (standalone or clustered)
  • os
    Operating System hosting the Redis server
  • architecture
    The "arch_bits" architecture (32 or 64 bits)
  • multiplexing_api
    Event loop mechanism used by Redis
  • gcc_version
    Version of the GCC compiler used to compile the Redis server
  • process_id
    Process ID (PID) of the running Redis server instance
  • run_id
    Random value identifying the Redis server
  • uptime
    Number of seconds since Redis server start
  • connected_clients
    The number of client connections to the Redis server
  • sector
    Sector the IP belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","hostname_source","git_sha1","git_dirty_flag","build_id","mode","os","architecture","multiplexing_api","gcc_version","process_id","run_id","uptime","connected_clients","sector"
"2010-02-10 00:00:00",high,192.168.0.1,tcp,6379,node01.example.com,redis,7.2.3,64512,ZZ,Region,City,0,ptr,00000000,0,26f7443749f1b9a6,standalone,"Linux 5.4.0-122-generic x86_64",,epoll,12.2.1,1,e188eede10e629718b4650a0ace83b7766b0e4e9,643889,8,
"2010-02-10 00:00:01",high,192.168.0.2,tcp,6379,node02.example.com,redis,7.0.11,64512,ZZ,Region,City,0,ptr,00000000,0,3af367a78d5e21e9,standalone,"Linux 5.19.0-1025-aws x86_64",,epoll,11.3.0,413436,23844e73d07cdd65ca4ed069370278406ee8ea53,8926464,2,"Retail Trade"
"2010-02-10 00:00:02",high,192.168.0.3,tcp,6379,node03.example.com,redis,6.2.10,64512,ZZ,Region,City,0,,00000000,0,8317b5833f3f63c1,standalone,"Linux 5.15.0-56-generic x86_64",,epoll,10.2.1,1,341f56895e4867f1ecef5b7c8cf655e07e38737a,23961641,1,"Communications, Service Provider, and Hosting Service"

Our 132 Report Types