Auth Bypass in Redis

Authentication bypass in Redis occurs when attackers gain unauthorized access to Redis instances without providing valid credentials. The most common scenario involves Redis servers exposed to the internet without proper authentication configured. By default, Redis allows connections without authentication if the requirepass directive is not set in the configuration file.

Attackers exploit this by connecting directly to Redis ports (typically 6379) and issuing commands that can lead to data exfiltration, cache poisoning, or even remote code execution. Since Redis runs with elevated privileges and often stores sensitive session data, API keys, or user information, an auth bypass can have severe consequences.

Redis auth bypass often manifests through:

• Unprotected Redis instances accessible via public IP addresses
• Redis instances bound to 0.0.0.0 instead of 127.0.0.1
• Redis instances without requirepass configuration
• Redis instances accepting connections from unauthorized networks
• Redis instances with default credentials that haven't been changed

The attack surface expands significantly when Redis is used for session storage, token caching, or API rate limiting. An attacker who bypasses authentication can manipulate session tokens, invalidate legitimate user sessions, or poison rate limiting counters to enable credential stuffing attacks.

Detecting Redis authentication bypass requires both configuration analysis and runtime scanning. Configuration analysis involves checking Redis configuration files for the presence of requirepass directives and binding settings. Runtime scanning tests whether the Redis instance actually enforces authentication by attempting connections without credentials.

middleBrick performs Redis-specific authentication bypass detection through its black-box scanning approach. The scanner attempts to establish connections to Redis endpoints without authentication and analyzes the responses. If the server responds with a successful connection and allows command execution, this indicates an authentication bypass vulnerability.

Key detection patterns include:

• Successful connection to Redis port 6379 without authentication
• Ability to execute INFO command and retrieve server details
• Ability to execute CONFIG GET to view server configuration
• Ability to execute KEYS to enumerate stored data
• Ability to execute FLUSHALL or FLUSHDB to destroy data

middleBrick's Redis detection also analyzes OpenAPI specifications if provided, checking for Redis endpoints in API documentation and correlating this with runtime findings. The scanner tests 12 security categories in parallel, with authentication bypass detection being a primary focus for Redis instances.

Additional detection involves network-level analysis to identify Redis instances accessible from public networks, checking for default ports, and analyzing response patterns that indicate unauthenticated access is permitted.

Remediating Redis authentication bypass requires a multi-layered approach focusing on configuration, network security, and operational practices. The primary remediation is enabling authentication through the requirepass directive in the Redis configuration file.

Basic authentication configuration:

requirepass your_strong_password_here

However, simple password authentication has limitations. For production environments, consider using Redis ACLs (Access Control Lists) introduced in Redis 6.0:

# Enable ACLs and disable old auth system
aclfile /etc/redis/users.acl

# Example users.acl file:
user admin on >strong_password_here ~* +@all
user app on >app_password_here ~app:* +@read +@write
user metrics on >metrics_password_here ~metrics:* +@read

Network-level protections are equally important:

# Bind to specific interfaces only
bind 127.0.0.1

# Or bind to specific IP if remote access is needed
bind 192.168.1.100

Firewall configuration to restrict access:

# UFW (Ubuntu)
ufw allow from 192.168.1.0/24 to any port 6379

# iptables
iptables -A INPUT -p tcp --dport 6379 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP

For containerized environments, Redis should be isolated within the container network and not exposed to the host or external networks. Use Docker Compose with proper network segmentation:

services:
  redis:
    image: redis:7-alpine
    command: redis-server --requirepass ${REDIS_PASSWORD} --bind 127.0.0.1
    networks:
      - internal
    volumes:
      - redis_data:/data

networks:
  internal:
    internal: true

Additional security measures include:

• Using TLS encryption for Redis connections with tls-port and certificate configuration
• Implementing Redis Sentinel or Cluster with proper authentication across nodes
• Regular rotation of Redis passwords and ACL credentials
• Monitoring Redis logs for unauthorized access attempts
• Using Redis modules like RedisJSON with proper access controls

Application-level integration should use Redis clients that support modern authentication methods and validate server certificates when using TLS.