Ruby up to 2.4.3 lib/resolv.rb Resolv::Hosts::new Argument injection

Summaryinfo

A vulnerability was found in Ruby up to 2.4.3. It has been rated as critical. The affected element is the function Resolv::Hosts::new in the library lib/resolv.rb. The manipulation with the input | as part of Argument leads to injection. This vulnerability is documented as CVE-2017-17790. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in Ruby up to 2.4.3 (Programming Language Software) and classified as critical. This issue affects the function Resolv::Hosts::new in the library lib/resolv.rb. The manipulation with the input value | leads to a injection vulnerability. Using CWE to declare the problem leads to CWE-74. The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input may be highly unlikely.

The bug was discovered 12/19/2017. The weakness was released 12/20/2017 (GitHub Repository). It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2017-17790 since 12/20/2017. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1055 according to MITRE ATT&CK.

The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $0-$5k. The vulnerability scanner Nessus provides a plugin with the ID 105428 (Debian DLA-1221-1 : ruby1.9.1 security update), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Debian Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 197017 (Ubuntu Security Notification for Ruby1.9.1, Ruby2.3 Vulnerabilities (USN-3528-1)).

Upgrading eliminates this vulnerability. A possible mitigation has been published 5 days after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (105428). Entry connected to this vulnerability is available at VDB-110720. Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Programming Language Software

Name

• Ruby

Version

• 2.4.0
• 2.4.1
• 2.4.2
• 2.4.3

License

• open-source

Website

• Product: https://github.com/ruby/ruby/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion