attack-surface.md

Attack Surface Analysis for valkey-io/valkey

Attack Surface: Network Exposure and Unauthenticated Access

• 1. Network Exposure and Unauthenticated Access

  • Description: Direct, unauthenticated access to the Valkey instance from untrusted networks.
  • How Valkey Contributes: Valkey, by default, listens on a TCP port (6379) and may not have authentication enabled initially.
  • Example: An attacker scans for open port 6379 on public IP addresses and finds a Valkey instance without a password set.
  • Impact: Complete data compromise (read, write, delete), potential for remote code execution (if certain modules are loaded and exploitable).
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Network Segmentation: Place Valkey within a private network (VPC) accessible only to trusted application servers. Never expose it directly to the public internet.
    • Firewall Rules: Configure strict firewall rules to allow inbound connections to port 6379 only from the specific IP addresses of authorized application servers.
    • Authentication: Always enable authentication in Valkey using a strong, randomly generated password (requirepass directive in valkey.conf).
    • VPN/Bastion Host: If remote administrative access is required, use a secure VPN or a bastion host with strong authentication and auditing.

Attack Surface: Unencrypted Communication (Lack of TLS)

• 2. Unencrypted Communication (Lack of TLS)

  • Description: Data transmitted between the application and Valkey is not encrypted, allowing for interception.
  • How Valkey Contributes: Valkey supports TLS, but it's not enabled by default. The application must be configured to use it.
  • Example: An attacker performs a Man-in-the-Middle (MitM) attack on the network between the application server and the Valkey instance, capturing sensitive data in transit.
  • Impact: Data leakage (credentials, cached data, application data), potential for data modification.
  • Risk Severity: High
  • Mitigation Strategies:
    • Enable TLS: Configure both Valkey and the application's client library to use TLS encryption for all communication.
    • Certificate Validation: Ensure the client library properly validates the Valkey server's TLS certificate to prevent MitM attacks using forged certificates.
    • Strong Cipher Suites: Use strong, modern cipher suites for TLS encryption.

Attack Surface: Command Injection

• 3. Command Injection

  • Description: Attackers inject malicious Valkey commands through unsanitized application input.
  • How Valkey Contributes: Valkey executes commands sent by clients. If the application constructs commands using untrusted input without proper escaping, injection is possible.
  • Example: An application uses user input directly in a SET command: valkey.set(userInput, "value"). An attacker provides input like "; FLUSHALL; " to delete all data.
  • Impact: Data loss, data modification, potential denial of service, potential for remote code execution (via EVAL or modules).
  • Risk Severity: High
  • Mitigation Strategies:
    • Parameterized Commands: Use client libraries that support parameterized commands (like prepared statements in SQL). This treats all input as data, preventing command injection.
    • Input Validation/Sanitization: Strictly validate and sanitize all input used in constructing Valkey commands, even when using parameterized commands (defense-in-depth).
    • Disable Dangerous Commands: Use the rename-command directive in valkey.conf to disable or rename dangerous commands like FLUSHALL, FLUSHDB, CONFIG, and EVAL if they are not absolutely necessary.

Attack Surface: Denial of Service (DoS)

• 4. Denial of Service (DoS)

  • Description: Attackers overwhelm the Valkey instance, making it unavailable to legitimate users.
  • How Valkey Contributes: Valkey is susceptible to resource exhaustion (memory, CPU, network) if not properly configured and protected.
  • Example: An attacker sends a flood of SET commands with very large values, consuming all available memory in the Valkey instance. Or, an attacker repeatedly executes KEYS * on a large dataset.
  • Impact: Application unavailability, potential data loss (if persistence is not configured or is overwhelmed).
  • Risk Severity: High
  • Mitigation Strategies:
    • Rate Limiting: Implement rate limiting on the application side or using a proxy to limit the number of requests per client/IP address.
    • Resource Limits: Configure maxmemory in valkey.conf to limit the maximum memory Valkey can use. Use maxclients to limit concurrent connections.
    • Avoid KEYS *: Use SCAN instead of KEYS * for iterating over keys in production.
    • Network Monitoring: Monitor network traffic and server resource usage to detect and respond to DoS attacks.
    • Timeouts: Configure appropriate timeouts on both the client and server sides.

Attack Surface: Outdated Valkey Version or Client Library

• 5. Outdated Valkey Version or Client Library

  • Description: Running an outdated version of Valkey or a vulnerable client library exposes the application to known vulnerabilities.
  • How Valkey Contributes: Like any software, Valkey and its client libraries can have security vulnerabilities that are patched in newer releases.
  • Example: An older version of Valkey has a known remote code execution vulnerability. An attacker exploits this vulnerability to gain control of the server.
  • Impact: Varies depending on the vulnerability, but can range from data leakage to complete system compromise.
  • Risk Severity: High (depending on the vulnerability)
  • Mitigation Strategies:
    • Regular Updates: Keep Valkey and all client libraries up-to-date with the latest stable releases.
    • Vulnerability Scanning: Regularly scan the Valkey instance and application dependencies for known vulnerabilities.
    • Software Composition Analysis (SCA): Use SCA tools to track dependencies and receive alerts about vulnerabilities.