====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN351
_____________________________________________________________________

DATE                : 12/07/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Ruby versions prior to 2.6.7,
                                      2.7.3, 3.0.1.

=====================================================================
https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
_____________________________________________________________________


CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP

Posted by shugo on 7 Jul 2021

A StartTLS stripping vulnerability was discovered in Net::IMAP. This
vulnerability has been assigned the CVE identifier CVE-2021-32066. We
strongly recommend upgrading Ruby.

net-imap is a default gem in Ruby 3.0.1 but it has a packaging issue, so
please upgrade Ruby itself.


Details

Net::IMAP does not raise an exception when StartTLS fails with an
unknown response, which might allow man-in-the-middle attackers to
bypass the TLS protections by leveraging a network position between the
client and the registry to block the StartTLS command, aka a “StartTLS
stripping attack.”


Affected Versions

    Ruby 2.6 series: 2.6.7 and earlier
    Ruby 2.7 series: 2.7.3 and earlier
    Ruby 3.0 series: 3.0.1 and earlier


Credits

Thanks to Alexandr Savca for reporting the issue.


History

    Originally published at 2021-07-07 09:00:00 UTC

_____________________________________________________________________


CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP

Posted by shugo on 7 Jul 2021

A trusting FTP PASV responses vulnerability was discovered in Net::FTP.
This vulnerability has been assigned the CVE identifier CVE-2021-31810.
We strongly recommend upgrading Ruby.

net-ftp is a default gem in Ruby 3.0.1 but it has a packaging issue, so
please upgrade Ruby itself.


Details

A malicious FTP server can use the PASV response to trick Net::FTP into
connecting back to a given IP address and port. This potentially makes
Net::FTP extract information about services that are otherwise private
and not disclosed (e.g., the attacker can conduct port scans and service
banner extractions).


Affected Versions

    Ruby 2.6 series: 2.6.7 and earlier
    Ruby 2.7 series: 2.7.3 and earlier
    Ruby 3.0 series: 3.0.1 and earlier


Credits

Thanks to Alexandr Savca for reporting the issue.


History

    Originally published at 2021-07-07 09:00:00 UTC



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================