CVE-2022-0543
Published: 18 February 2022
Summary
CVE-2022-0543 is a critical-severity Missing Authorization (CWE-862) vulnerability in Debian Debian Linux. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-0543 is a Debian-specific Lua sandbox escape vulnerability in the redis persistent key-value database that stems from a packaging issue. The flaw permits an attacker to break out of the Lua environment and execute arbitrary code on the underlying system. It carries a CVSS 3.1 base score of 10.0 and is tracked under CWE-862.
An unauthenticated remote attacker can exploit the issue over the network without user interaction. Successful exploitation grants full control of the affected redis instance and the host operating system, allowing arbitrary code execution with impacts to confidentiality, integrity, and availability.
Debian addressed the vulnerability in DSA-5081 and the associated security announcement, with corresponding updates available through the package repositories. NetApp also published advisory NTAP-20220331-0004 describing affected products and recommended remediation steps. Public exploit code has been posted to Packet Storm, and the CVE maintains a high EPSS score with a recorded peak of 0.9744.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15665
Vulnerability details
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that close the Debian Lua sandbox escape in Redis.
Limits privileges of the Redis process so that a successful Lua sandbox escape yields only minimal system access.
Disables or restricts the Lua scripting interface when not required, eliminating the attack surface exploited by CVE-2022-0543.