Netty Redis Codec CRLF Injection Vulnerability Allowing Command Injection and Response Forging

A CRLF injection vulnerability has been identified in the Netty Redis codec encoder, specifically in versions prior to 4.2.13.Final and 4.1.133.Final. The issue arises because the encoder writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF characters. This lack of validation allows an attacker to inject arbitrary Redis commands or forge fake responses, exploiting the fact that the Redis Serialization Protocol uses CRLF as a delimiter. The vulnerability is present in the 'io.netty.handler.codec.redis.RedisEncoder' component, as well as in related message classes that do not validate input before it is sent over the network.

Impact

Exploitation of this vulnerability could lead to unauthorized injection of Redis commands or manipulation of Redis responses, with potential consequences including execution of sensitive commands, modification or deletion of data, and in some cases, disruption of Redis server availability.

Reproduction

The vulnerability can be reproduced by creating a Redis message using one of the affected message classes, such as 'InlineCommandRedisMessage', 'SimpleStringRedisMessage', or 'ErrorRedisMessage', and including CRLF characters in the content. When the message is sent through a channel, the CRLF characters will be interpreted as command delimiters by the Redis server, allowing for injection of additional commands or manipulation of response data.

Remediation

To address this vulnerability, it is recommended to validate CRLF characters in the message constructors of 'InlineCommandRedisMessage', 'SimpleStringRedisMessage', and 'ErrorRedisMessage', as well as in the 'RedisEncoder' class before writing messages to the output buffer.