RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - ruby: Fiddle::Function.new heap buffer overflow (CVE-2016-2339)

  - DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens     libraries with tainted names. (CVE-2009-5147)

  - verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before     2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof     servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity,     and (4) non-ASCII characters. (CVE-2015-1855)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An exploitable heap overflow vulnerability exists in     the Fiddle::Function.new 'initialize' function     functionality of Ruby. In Fiddle::Function.new     'initialize' heap buffer 'arg_types' allocation is made     based on args array length. Specially constructed     object passed as element of args array can increase     this array size after mentioned allocation and cause     heap overflow.(CVE-2016-2339)

  - Type confusion exists in _cancel_eval Ruby's TclTkIp     class method. Attacker passing different type of object     than String as 'retval' argument can cause arbitrary     code execution.(CVE-2016-2337)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This ruby2.1 update to version 2.1.9 fixes the following issues :

Security issues fixed :

  - CVE-2016-2339: heap overflow vulnerability in the     Fiddle::Function.new'initialize' (bsc#1018808)

  - CVE-2015-7551: Unsafe tainted string usage in Fiddle and     DL (bsc#959495)

  - CVE-2015-3900: hostname validation does not work when     fetching gems or making API requests (bsc#936032)

  - CVE-2015-1855: Ruby'a OpenSSL extension suffers a     vulnerability through overly permissive matching of     hostnames (bsc#926974)

  - CVE-2014-4975: off-by-one stack-based buffer overflow in     the encodes() function (bsc#887877)

Bugfixes :

  - SUSEconnect doesn't handle domain wildcards in no_proxy     environment variable properly (bsc#1014863)

  - Segmentation fault after pack & ioctl & unpack     (bsc#909695)

  - Ruby:HTTP Header injection in 'net/http' (bsc#986630)

ChangeLog :

- http://svn.ruby-lang.org/repos/ruby/tags/v2_1_9/ChangeLog

This update was imported from the SUSE:SLE-12:Update update project.

This ruby2.1 update to version 2.1.9 fixes the following issues:
Security issues fixed :

  - CVE-2016-2339: heap overflow vulnerability in the     Fiddle::Function.new'initialize' (bsc#1018808)

  - CVE-2015-7551: Unsafe tainted string usage in Fiddle and     DL (bsc#959495)

  - CVE-2015-3900: hostname validation does not work when     fetching gems or making API requests (bsc#936032)

  - CVE-2015-1855: Ruby'a OpenSSL extension suffers a     vulnerability through overly permissive matching of     hostnames (bsc#926974)

  - CVE-2014-4975: off-by-one stack-based buffer overflow in     the encodes() function (bsc#887877) Bugfixes :

  - SUSEconnect doesn't handle domain wildcards in no_proxy     environment variable properly (bsc#1014863)

  - Segmentation fault after pack & ioctl & unpack     (bsc#909695)

  - Ruby:HTTP Header injection in 'net/http' (bsc#986630)     ChangeLog :

- http://svn.ruby-lang.org/repos/ruby/tags/v2_1_9/ChangeLog

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to RubyGems 2.2.5.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to RubyGems 2.4.8.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the Puppet Enterprise application running on the remote host is version 3.7.x or 3.8.x prior to 3.8.1. It it, therefore, affected by the following vulnerabilities :

  - A flaw exists in RubyGems due to a failure to validate     hostnames when fetching gems or making API requests. A     remote attacker, using a crafted DNS SRV record, can     exploit this to redirect requests to arbitrary domains.
    (CVE-2015-3900)

  - A flaw exists in RubyGems due to a failure to sanitize     DNS responses, which allows a man-in-the-middle attacker     to install arbitrary applications. (CVE-2015-4020)

  - A flaw exists in Puppet Enterprise related to how     certificates are managed, under certain vulnerable     configurations, which allows a trusted certificate to be     used to perform full certificate management. An attacker     can exploit this flaw to revoke the certificates of     other nodes or to approve their certificate requests.
    (CVE-2015-4100)

Note that the default 'monolithic', 'split', and 'multimaster' installations of Puppet Enterprise are not affected by CVE-2015-4100.

RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against.
This mechanism is implemented via DNS, specificly a SRV record
_rubygems._tcp under the original requested domain. RubyGems did not validate the hostname returned in the SRV record before sending requests to it. (CVE-2015-3900)

As discussed upstream, CVE-2015-4020 is due to an incomplete fix for CVE-2015-3900 , which allowed redirection to an arbitrary gem server in any security domain.

Jonathan Claudius reports :

RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against.
This mechanism is implemented via DNS, specifically a SRV record
_rubygems._tcp under the original requested domain.

RubyGems did not validate the hostname returned in the SRV record before sending requests to it. This left clients open to a DNS hijack attack, whereby an attacker could return a SRV of their choosing and get the client to use it.

ID	Name	Product	Family	Severity
198343	RHEL 7 : ruby (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
99896	EulerOS 2.0 SP2 : ruby (EulerOS-SA-2017-1051)	Nessus	Huawei Local Security Checks	critical
99895	EulerOS 2.0 SP1 : ruby (EulerOS-SA-2017-1050)	Nessus	Huawei Local Security Checks	critical
99753	openSUSE Security Update : ruby2.1 (openSUSE-2017-527)	Nessus	SuSE Local Security Checks	critical
99578	SUSE SLED12 / SLES12 Security Update : ruby2.1 (SUSE-SU-2017:1067-1)	Nessus	SuSE Local Security Checks	critical
85553	Fedora 21 : rubygems-2.2.5-100.fc21 (2015-13157)	Nessus	Fedora Local Security Checks	medium
85312	Fedora 22 : rubygems-2.4.8-100.fc22 (2015-12574)	Nessus	Fedora Local Security Checks	medium
85309	Fedora 23 : rubygems-2.4.8-100.fc23 (2015-12501)	Nessus	Fedora Local Security Checks	medium
84961	Puppet Enterprise 3.7.x < 3.8.1 / 3.8.x < 3.8.1 Multiple Vulnerabilities	Nessus	CGI abuses	medium
84250	Amazon Linux AMI : ruby22 (ALAS-2015-549)	Nessus	Amazon Linux Local Security Checks	medium
84249	Amazon Linux AMI : ruby21 (ALAS-2015-548)	Nessus	Amazon Linux Local Security Checks	medium
84248	Amazon Linux AMI : ruby20 (ALAS-2015-547)	Nessus	Amazon Linux Local Security Checks	medium
83513	FreeBSD : rubygems -- request hijacking vulnerability (a0089e18-fc9e-11e4-bc58-001e67150279)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2015-3900

high

Tenable Plugins

critical

critical

critical

critical

critical

medium

medium

medium

medium

medium

medium

medium

medium