ID CVE-2012-5371
Summary Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815.
References
Vulnerable Configurations
  • ruby-lang Ruby 1.9
    cpe:2.3:a:ruby-lang:ruby:1.9
  • ruby-lang Ruby 1.9.1
    cpe:2.3:a:ruby-lang:ruby:1.9.1
  • ruby-lang Ruby 1.9.2
    cpe:2.3:a:ruby-lang:ruby:1.9.2
  • ruby-lang Ruby 1.9.3
    cpe:2.3:a:ruby-lang:ruby:1.9.3
  • ruby-lang Ruby 1.9.3-p194
    cpe:2.3:a:ruby-lang:ruby:1.9.3:p194
  • ruby-lang Ruby 1.9.3-p286
    cpe:2.3:a:ruby-lang:ruby:1.9.3:p286
  • ruby-lang Ruby 1.9.3-p125
    cpe:2.3:a:ruby-lang:ruby:1.9.3:p125
  • ruby-lang Ruby 1.9.3-p0
    cpe:2.3:a:ruby-lang:ruby:1.9.3:p0
  • Ruby-lang Ruby 2.0
    cpe:2.3:a:ruby-lang:ruby:2.0
CVSS
Base: 5.0 (as of 28-11-2012 - 13:34)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2012-341-04.NASL
    description New ruby packages are available for Slackware 13.1, 13.37, 14.0, and -current to fix security issues.
    last seen 2019-01-03
    modified 2019-01-02
    plugin id 63170
    published 2012-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63170
    title Slackware 13.1 / 13.37 / 14.0 / current : ruby (SSA:2012-341-04)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1733-1.NASL
    description Jean-Philippe Aumasson discovered that Ruby incorrectly generated predictable hash values. An attacker could use this issue to generate hash collisions and cause a denial of service. (CVE-2012-5371) Evgeny Ermakov discovered that documentation generated by rdoc is vulnerable to a cross-site scripting issue. With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. (CVE-2013-0256) Thomas Hollstegge and Ben Murphy discovered that the JSON implementation in Ruby incorrectly handled certain crafted documents. An attacker could use this issue to cause a denial of service or bypass certain protection mechanisms. (CVE-2013-0269). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 64799
    published 2013-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64799
    title Ubuntu 12.04 LTS / 12.10 : ruby1.9.1 vulnerabilities (USN-1733-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-17949.NASL
    description A security flaw was found on ruby currently shiped on Fedora 18 that carefully crafted sequence of strings may cause a denial of service attack on the service that parses the sequence to create a Hash object by using the strings as keys. This issue is now registered as CVE-2012-5371. This new package should fix this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 63030
    published 2012-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63030
    title Fedora 18 : ruby-1.9.3.327-22.fc18 (2012-17949)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2012-18017.NASL
    description A security flaw was found on ruby currently shiped on Fedora 18 that carefully crafted sequence of strings may cause a denial of service attack on the service that parses the sequence to create a Hash object by using the strings as keys. This issue is now registered as CVE-2012-5371. This new package should fix this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 62955
    published 2012-11-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62955
    title Fedora 17 : ruby-1.9.3.327-19.fc17 (2012-18017)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_5E647CA32AEA11E2B745001FD0AF1A4C.NASL
    description The official ruby site reports : Carefully crafted sequence of strings can cause a denial of service attack on the service that parses the sequence to create a Hash object by using the strings as keys. For instance, this vulnerability affects web application that parses the JSON data sent from untrusted entity. This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby 1.9 versions were using modified MurmurHash function but it's reported that there is a way to create sequence of strings that collide their hash values each other. This fix changes the Hash function of String object from the MurmurHash to SipHash 2-4.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 62886
    published 2012-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62886
    title FreeBSD : ruby -- Hash-flooding DoS vulnerability for ruby 1.9 (5e647ca3-2aea-11e2-b745-001fd0af1a4c)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-167.NASL
    description ruby19 was updated to fix various bugs and security issues: Update to 1.9.3 p385 (bnc#802406) - XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256) - for other changes see /usr/share/doc/packages/ruby19/Changelog Update to 1.9.3 p327 (bnc#789983) - CVE-2012-5371 and plenty of other fixes Update to 1.9.3 p286 (bnc#783511, bnc#791199) - This release includes some security fixes, and many other bug fixes. $SAFE escaping vulnerability about Exception#to_s / NameError#to_s (CVE-2012-4464, CVE-2012-4466) - Unintentional file creation caused by inserting an illegal NUL character many other bug fixes. (CVE-2012-4522) Also following bugfixes and packaging fixes were done : - make sure the rdoc output is more stable for build-compare (new patch ruby-sort-rdoc-output.patch) - readd the private header *atomic.h - remove build depencency on ca certificates - only causing cycles - one more header needed for rubygem-ruby-debug-base19 - install vm_core.h and its dependencies as ruby-devel-extra - move the provides to the ruby package instead - add provides for the internal gems - restore the old ruby macros and the gem wrapper script - gem_install_wrapper no longer necessary
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74909
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74909
    title openSUSE Security Update : ruby19 (openSUSE-SU-2013:0376-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-263.NASL
    description Two vulnerabilities were identified in the Ruby language interpreter, version 1.9.1. CVE-2012-5371 Jean-Philippe Aumasson identified that Ruby computed hash values without properly restricting the ability to trigger hash collisions predictably, allowing context-dependent attackers to cause a denial of service (CPU consumption). This is a different vulnerability than CVE-2011-4815. CVE-2013-0269 Thomas Hollstegge and Ben Murphy found that the JSON gem for Ruby allowed remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects. For the squeeze distribution, theses vulnerabilities have been fixed in version 1.9.2.0-2+deb6u5 of ruby1.9.1. We recommend that you upgrade your ruby1.9.1 package. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 84494
    published 2015-07-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84494
    title Debian DLA-263-1 : ruby1.9.1 security update
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0582.NASL
    description Red Hat OpenShift Enterprise 1.1.1 is now available. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS) solution from Red Hat, and is designed for on-premise or private cloud deployments. Installing the updated packages and restarting the OpenShift services are the only requirements for this update. However, if you are updating your system to Red Hat Enterprise Linux 6.4 while applying OpenShift Enterprise 1.1.1 updates, it is recommended that you restart your system. For further information about this release, refer to the OpenShift Enterprise 1.1.1 Technical Notes, available shortly from https://access.redhat.com/knowledge/docs/ This update also fixes the following security issues : Multiple cross-site scripting (XSS) flaws were found in rubygem-actionpack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using rubygem-actionpack. (CVE-2012-3463, CVE-2012-3464, CVE-2012-3465) It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected. (CVE-2012-4522) A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, a new, more collision resistant algorithm has been used to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2012-5371) Input validation vulnerabilities were discovered in rubygem-activerecord. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2013-0155) Input validation vulnerabilities were discovered in rubygem-actionpack. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-actionpack and rubygem-activerecord. (CVE-2012-2660, CVE-2012-2694) A flaw was found in the HTTP digest authentication implementation in rubygem-actionpack. A remote attacker could use this flaw to cause a denial of service of an application using rubygem-actionpack and digest authentication. (CVE-2012-3424) A flaw was found in the handling of strings in Ruby safe level 4. A remote attacker can use Exception#to_s to destructively modify an untainted string so that it is tainted, the string can then be arbitrarily modified. (CVE-2012-4466) A flaw was found in the method for translating an exception message into a string in the Ruby Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4464) It was found that ruby_parser from rubygem-ruby_parser created a temporary file in an insecure way. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to the application using ruby_parser. (CVE-2013-0162) The CVE-2013-0162 issue was discovered by Michael Scherer of the Red Hat Regional IT team. Users are advised to upgrade to Red Hat OpenShift Enterprise 1.1.1.
    last seen 2019-02-21
    modified 2019-02-06
    plugin id 119432
    published 2018-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119432
    title RHEL 6 : openshift (RHSA-2013:0582)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-27.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-27 (Ruby: Denial of Service) Multiple vulnerabilities have been discovered in Ruby. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or bypass security restrictions. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2015-10-05
    plugin id 79980
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79980
    title GLSA-201412-27 : Ruby: Denial of Service
refmap via4
bid 56484
confirm
misc
osvdb 87280
sectrack 1027747
secunia 51253
ubuntu USN-1733-1
xf ruby-hash-function-dos(79993)
Last major update 07-03-2013 - 23:10
Published 28-11-2012 - 08:03
Last modified 28-08-2017 - 21:32
Back to Top