Multiple CVEs affecting Rails 2.3 and 3.2

Last night, multiple security vulnerabilities were disclosed for Ruby on Rails. Some of these affect Rails 2.3, 3.0 and 3.2.

We’ve released patched versions of the Rails LTS gems which are available for subscribers on paid plans at this time. The community release of LTS 2.3 will be made available in 10 days, as usual.

You can find instructions below for
Rails 2.3
Rails 3.2

For Rails 2.3 users

We’ve released Rails LTS 2.3.18.15. See our upgrade instructions.

Details for all changes are below.
Note that some issues could not be resolved by an update to Rails LTS without breaking existing applications. In those cases, we provide advisories below.

[CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.

Original announcement here.

This CVE relates to functionality not present in Rails 2.3, so we did not issue a patch. Note however that it is possible you made the same mistake in your own code.

Advisory: Consider the following use of basic authentication:
authenticate_or_request_with_http_basic('Admin') do |username, password|
  username == 'admin' && password == 'password'
end
This code is vulnerable to a "timing attack". If an attacker guesses the first half of your password, Rails will take marginally longer to respond, because the string comparison takes more time. It is possible to abuse this information to gradually guess a password.

To fix this, replace this code with something like the following:
# drop this somewhere public, for example into an initializer
require 'digest'
module SecureCompare
  def secure_compare(a, b)
    return false unless a.bytesize == b.bytesize

    l = a.unpack "C#{a.bytesize}"

    res = 0
    b.each_byte { |byte| res |= byte ^ l.shift }
    res == 0
  end
  module_function :secure_compare

  def variable_size_secure_compare(a, b)
    secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
  end
  module_function :variable_size_secure_compare
end

#use it like this
authenticate_or_request_with_http_basic('Admin') do |username, password|
  SecureCompare.variable_size_secure_compare(username, 'admin') &
    SecureCompare.variable_size_secure_compare(password, 'password')
end

[CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack

Original announcement here.

An attacker could make requests to your application with invalid Mime Types that result in a memory leak. This will eventually lead to your application running out of memory, causing a Denial of Service.

Rails 2.3 is affected. The issue is patched in the new LTS release.

[CVE-2015-7577] Nested attributes rejection proc bypass in Active Record

Original announcement here.

Consider the following code:

class Blog < ActiveRecord::Base
  accepts_nested_attributes_for :posts,
    :reject_if => proc { |attributes| attributes['title'].blank? }
end


This code prevents adding new posts without a title. Additionally, in Rails 3.0+, it would also prevent removing the title from an existing post.

There was an issue that allowed an attacker to circumvent the latter behavior. Since this behavior does not exist in Rails 2.3 in the first place, it is not affected.

Advisory: In order to prevent editing existing records with unwanted values, use regular Rails validations and not :reject_if.

[CVE-2015-7578, CVE-2015-7579, CVE-2015-7580] Multiple vulnerabilities in rails-html-sanitizer

Original announcements herehere and here.

Although rails-html-sanitzer was extracted from old Rails code, we have confirmed that these issues do not affect Rails 2.3.

[CVE-2016-0752] Possible Information Leak Vulnerability in Action View

Original announcement here.

Applications can pass unverified user input to the render method, causing Rails to render arbitrary files on the file system, and evaluating them as templates.

The exact vulnerability does not affect Rails 2.3, but a very similar one does:

class MyController < ApplicationController
  def action
    render params[:id]
  end
end


An attacker can set params[:id] to { :file => '/home/user/my-secret-file' }. This will cause the secret file to be rendered. It will also potentially evaluate any .erb-files.

However, since render :file => ... is public and documented API in Rails 2.3 that is used by existing applications and even some Rails internals, we cannot fix this issue in a Rails 2.3 patch. We cannot easily distinguish between user input and regular application code.

Note that while most application probably do not have this kind of code, if your's does, this is a very critical vulnerability.

Advisory: Never pass unsanitized params directly to the render method.

[CVE-2016-0753] Possible Input Validation Circumvention in Active Model

Original announcement here.

ActiveRecord's mass assignment mechanism can be used to override some internal ActiveRecord functionality. An attacker could for example use crafted params to bypass input validations and some kinds of mass assignment protection.

Despite what the annoucement said, Rails 2.3 is affected. The issue is patched in the new LTS release.

[CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack

Original announcement here.

There was an issue allowing an attacker to cause memory leaks with certain wildcard routes on Rails 3.0+.

We confirmed that Rails 2.3 is not affected by this vulnerability.
 

For Rails 3.2 users

We’ve released Rails LTS 3.2.22.4 See our upgrade instructions.

Details for all changes are below.

All issues that affected Rails 3.2 are fixed in the new LTS release. Note that there are also several advisories below, where there are additional issues that a Rails patch cannot solve automatically.

[CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.

Original announcement here.

When your application uses the http_basic_authenticate_with method, you are vulnerable to a timing attack. With this an attacker can guess parts of a password and measure subtle differences in response times between requests. This can be used to gradually guess a password.

The issue is patched in the new LTS release.

Advisory: If you compare passwords manually instead of using http_basic_authenticate_with, you might have made the same mistake in your code.

After upgrading LTS, replace any use of this


authenticate_or_request_with_http_basic('Admin') do |username, password|
  username == 'admin' && password == 'password'
end


with

require 'active_support/security_utils'
authenticate_or_request_with_http_basic('Admin') do |username, password|
  ActiveSupport::SecurityUtils.variable_size_secure_compare(username, 'admin') &
    ActiveSupport::SecurityUtils.variable_size_secure_compare(password, 'password') 
end

 

[CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack

Original announcement here.

An attacker could make requests to your application with invalid Mime Types that result in a memory leak. This will eventually lead to your application running out of memory, causing a Denial of Service.

Rails 3.2 is affected. The issue is patched in the new LTS release.

[CVE-2015-7577] Nested attributes rejection proc bypass in Active Record

Original announcement here.

Consider the following code:

class Blog < ActiveRecord::Base
  accepts_nested_attributes_for :posts,
    reject_if: proc { |attributes| attributes['title'].blank? }
end


This code prevents adding new posts without a title and additionally it also prevents removing the title from an existing post.

However, under certain conditions (when setting allow_destroy: false), an attacker could circumvent this and update an existing record bypassing the reject_if proc.

Rails 3.2 is affected. The issue is patched in the new LTS release.

[CVE-2015-7578, CVE-2015-7579, CVE-2015-7580] Multiple vulnerabilities in rails-html-sanitizer

Original announcements herehere and here.

Although rails-html-sanitzer was extracted from old Rails code, we have confirmed that these issues do not affect Rails 3.2.

[CVE-2016-0752] Possible Information Leak Vulnerability in Action View

Original announcement here.

Applications can pass unverified user input to the render method, causing Rails to render arbitrary files on the file system, and evaluating them as templates.

Vulnerable code looks like this:

class MyController < ApplicationController
  def action
    render params[:id]
  end
end


An attacker can set params[:id] to { :file => '../../my-secret-file' },  and access files outside the Rails view path. This will cause the secret file to be rendered. It will also potentially evaluate any .erb-files.

We patched this issue in the new LTS release.

Advisory: We still suggest to never pass unsanitized params directly to the render method, although the exact vulnerability is fixed.

[CVE-2016-0753] Possible Input Validation Circumvention in Active Model

Original announcement here.

ActiveRecord's mass assignment mechanism can be used to override some internal ActiveRecord functionality. An attacker could for example use crafted params to bypass input validations and some kinds of mass assignment protection.

Despite what the announcement said, Rails 3.2 is affected. The issue is patched in the new LTS release.

[CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack

Original announcement here.

When using wildcard routes of the form

map.connect ':controller/:action'

(with :controller being the important bit), an attacker could make requests to non-existent controllers resulting in a memory leak. This would cause your application to eventually run out of memory, resulting in a Denial of Service.

Despite what the announcement said, Rails 3.2 is affected. The issue is patched in the new LTS release.


unsubscribe from this list    update subscription preferences