====================================================================

                              CERT-Renater

                 Note d'Information No. 2017/VULN259
_____________________________________________________________________

DATE                : 15/09/2017

HARDWARE PLATFORM(S):  /

OPERATING SYSTEM(S): Systems running Ruby versions 2.2, 2.3, 2.4 prior
                               to 2.2.7, 2.3.4, 2.4.1.

=====================================================================
https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/
https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/
https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/
https://www.ruby-lang.org/en/news/2017/09/14/json-heap-exposure-cve-2017-14064
____________________________________________________________________

CVE-2017-10784: Escape sequence injection vulnerability in the Basic
authentication of WEBrick

Posted by usa on 14 Sep 2017

There is an escape sequence injection vulnerability in the Basic
authentication of WEBrick bundled by Ruby. This vulnerability has been
assigned the CVE identifier CVE-2017-10784.


Details

When using the Basic authentication of WEBrick, clients can pass an
arbitrary string as the user name. WEBrick outputs the passed user name
intact to its log, then an attacker can inject malicious escape
sequences to the log and dangerous control characters may be executed
on a victims terminal emulator.

This vulnerability is similar to a vulnerability already fixed, but it
had not been fixed in the Basic authentication.

All users running an affected release should upgrade immediately.


Affected Versions

Ruby 2.2 series: 2.2.7 and earlier

Ruby 2.3 series: 2.3.4 and earlier

Ruby 2.4 series: 2.4.1 and earlier

prior to trunk revision 58453


Credit

Thanks to Yusuke Endoh mame@ruby-lang.org for reporting this issue.


History

Originally published at 2017-09-14 12:00:00 (UTC)

____________________________________________________________________

CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf

Posted by usa on 14 Sep 2017

There is a buffer underrun vulnerability in the sprintf method of
Kernel module. This vulnerability has been assigned the CVE identifier
CVE-2017-0898.


Details

If a malicious format string which contains a precious specifier (*) is
passed and a huge minus value is also passed to the specifier, buffer
underrun may be caused. In such situation, the result may contains
heap, or the Ruby interpreter may crash.

All users running an affected release should upgrade immediately.


Affected Versions

Ruby 2.2 series: 2.2.7 and earlier

Ruby 2.3 series: 2.3.4 and earlier

Ruby 2.4 series: 2.4.1 and earlier

prior to trunk revision 58453


Credit

Thanks to aerodudrizzt for reporting this issue.


History

Originally published at 2017-09-14 12:00:00 (UTC)
____________________________________________________________________

CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode

Posted by usa on 14 Sep 2017

There is a buffer underrun vulnerability in OpenSSL bundled by Ruby.
This vulnerability has been assigned the CVE identifier CVE-2017-14033.


Details

If a malicious string is passed to the decode method of OpenSSL::ASN1,
buffer underrun may be caused and the Ruby interpreter may crash.

All users running an affected release should either upgrade or use one
of the workarounds immediately.


Affected Versions

Ruby 2.2 series: 2.2.7 and earlier

Ruby 2.3 series: 2.3.4 and earlier

Ruby 2.4 series: 2.4.1 and earlier

prior to trunk revision 56946


Workaround

The OpenSSL library is also distributed as a gem. If you cant upgrade
Ruby itself, install OpenSSL gem newer than version 2.0.0. But this
workaround is only available with Ruby 2.4 series. When using Ruby 2.2
series or 2.3 series, the gem does not override the bundled version of
OpenSSL.


Credit

Thanks to asac for reporting this issue.


History

Originally published at 2017-09-14 12:00:00 (UTC)
____________________________________________________________________

CVE-2017-14064: Heap exposure vulnerability in generating JSON

Posted by usa on 14 Sep 2017

There is a heap exposure vulnerability in JSON bundled by Ruby. This
vulnerability has been assgined the CVE identifier CVE-2017-14064.


Details

The generate method of JSON module optionally accepts an instance of
JSON::Ext::Generator::State class. If a malcious instance is passed,
the result may include contents of heap.

All users running an affected release should either upgrade or use one
of the workarounds immediately.


Affected Versions

Ruby 2.2 series: 2.2.7 and earlier

Ruby 2.3 series: 2.3.4 and earlier

Ruby 2.4 series: 2.4.1 and earlier

prior to trunk revision 58323


Workaround

The JSON library is also distributed as a gem. If you cant upgrade Ruby
itself, install JSON gem newer than version 2.0.4.


Credit

Thanks to ahmadsherif for reporting this issue.


History

Originally published at 2017-09-14 12:00:00 (UTC)

==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================