CVE-2024-3019 is a vulnerability affecting Performance Co-Pilot (PCP) software versions 4.3.4 and later. The issue arises from the default configuration of the pmproxy service, which exposes the Redis backend server to the local network. Redis, used by pmproxy for data storage and caching, is accessible without authentication when pmproxy is running, allowing remote attackers on the local network to execute arbitrary commands with the privileges of the Redis user. This can lead to full system compromise, including unauthorized data access, modification, and denial of service. The pmproxy service is not enabled by default and must be started manually, typically through the Cockpit web interface's Metrics settings page. The vulnerability has a CVSS v3.1 score of 8.8, indicating high severity, with an attack vector of adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The scope is unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No known exploits have been reported in the wild yet, but the exposure of Redis to the local network without authentication presents a significant risk. The flaw is primarily a misconfiguration issue but can be exploited to gain remote command execution capabilities. Organizations using PCP with pmproxy enabled should assess their exposure, especially in environments where local network access is not tightly controlled. The vulnerability underscores the importance of securing backend services and limiting network exposure of critical components.

The impact of CVE-2024-3019 is substantial for organizations running PCP with pmproxy enabled. Successful exploitation allows an attacker on the local network to execute arbitrary commands with Redis user privileges, potentially leading to full system compromise. This includes unauthorized access to sensitive performance data, modification or deletion of critical monitoring information, and disruption of monitoring services, which can hinder incident detection and response. The high severity score reflects the broad impact on confidentiality, integrity, and availability. In environments where Redis is trusted and network segmentation is insufficient, attackers could pivot to other internal systems. The requirement for local network access limits remote exploitation but does not eliminate risk, especially in cloud or virtualized environments where network boundaries may be blurred. Organizations relying on PCP for performance monitoring and management could face operational disruptions and increased risk of lateral movement by attackers. The absence of authentication on Redis exacerbates the risk, making it easier for attackers to exploit once pmproxy is active. Although no known exploits exist yet, the vulnerability should be treated as critical due to the ease of exploitation and potential damage.

To mitigate CVE-2024-3019, organizations should first ensure that pmproxy is not enabled unless explicitly required. If pmproxy must be used, restrict network access to the Redis backend by implementing strict firewall rules or network segmentation to limit access only to trusted hosts. Disable Redis commands that are not necessary or configure Redis with authentication and access controls if supported in the deployment. Monitor the activation of pmproxy services, especially via the Cockpit web interface, and audit network exposure of Redis instances regularly. Apply any patches or updates released by PCP maintainers promptly once available. Consider using host-based intrusion detection systems to alert on unusual Redis activity. Educate administrators about the risks of enabling pmproxy without proper network controls. In virtualized or cloud environments, enforce strict security groups and network policies to prevent unauthorized lateral movement. Finally, review and harden the overall PCP and Redis configurations to follow the principle of least privilege and minimize attack surfaces.