Vulnerabilities > CVE-2013-0263 - Unspecified vulnerability in Rack Project Rack
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN rack-project
nessus
Summary
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.
Vulnerable Configurations
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0686.NASL description Red Hat Subscription Asset Manager 1.2.1, which fixes several security issues, multiple bugs, and adds various enhancements, is now available. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat Subscription Asset Manager acts as a proxy for handling subscription information and software updates on client machines. The latest packages for Subscription Asset Manager include a number of security fixes : When a Subscription Asset Manager instance is created, its configuration script automatically creates an RPM of the internal subscription service CA certificate. However, this RPM incorrectly created the CA certificate with file permissions of 0666. This allowed other users on a client system to modify the CA certificate used to trust the remote subscription server. All administrators are advised to update and deploy the subscription service certificate on all systems which use Subscription Asset Manager as their subscription service. This procedure is described in: https://access.redhat.com/knowledge/docs/en-US/ Red_Hat_Subscription_Asset_Manager/1.2/html/Installation_Guide/ sect-Installation_Guide-Administration-Upgrading_Subscription_Asset_Ma nager.html (CVE-2012-6116) Manifest signature checking was not implemented for early versions of Subscription Asset Manager. This meant that a malicious user could edit a manifest file, insert arbitrary data, and successfully upload the edited manifest file into the Subscription Asset Manager server. (CVE-2012-6119) Ruby's documentation generator had a flaw in the way it generated HTML documentation. When a Ruby application exposed its documentation on a network (such as a web page), an attacker could use a specially- crafted URL to open an arbitrary web script or to execute HTML code within the application's user session. (CVE-2013-0256) A timing attack flaw was found in the way rubygem-rack and ruby193-rubygem-rack processed HMAC digests in cookies. This flaw could aid an attacker using forged digital signatures to bypass authentication checks. (CVE-2013-0263) A flaw in rubygem-json allowed remote attacks by creating different types of malicious objects. For example, it could initiate a denial of service (DoS) attack through resource consumption by using a JSON document to create arbitrary Ruby symbols, which were never garbage collected. It could also be exploited to create internal objects which could allow a SQL injection attack. (CVE-2013-0269) A flaw in ActiveRecord in Ruby on Rails allowed remote attackers to circumvent attribute protections and to insert their own crafted requests to change protected attribute values. (CVE-2013-0276) HTML markup was not properly escaped when filling in the username field in the Notifications form of the Subscription Asset Manager UI. This meant that HTML code used in the value was then applied in the UI page when the entry was viewed. This could have allowed malicious HTML code to be entered. The field value is now validated and any HTML tags are escaped. (CVE-2013-1823) These updated packages also include bug fixes and enhancements : * Previously, no SELinux policy for the subscription service was included with the Subscription Asset Manager packages. The candlepin-selinux package is now included with SELinux policies for the subscription server. (BZ#906901) * When attempting to use the subscription service's CA certificate to validate a manifest during import, the comparison failed. The upstream subscription service which generated the manifest is a different service than the local subscription service; thus, they have different CA certificates. This caused importing a manifest to fail with the error 'archive failed signature'. This has been fixed so that the proper certificate is used for verification. (BZ#918778) All users of Subscription Asset Manager are recommended to update to the latest packages. last seen 2017-10-29 modified 2014-05-02 plugin id 65904 published 2013-04-10 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=65904 title RHEL 6 : Subscription Asset Manager (RHSA-2013:0686) NASL family Fedora Local Security Checks NASL id FEDORA_2013-2315.NASL description Patch for - path sanitization information disclosure (CVE-2013-0262) - timing attack in cookie sessions (CVE-2013-0263) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-05-08 plugin id 66340 published 2013-05-08 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66340 title Fedora 17 : rubygem-rack-1.4.0-4.fc17 (2013-2315) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_FCFDABB7F14D4E61A7D5CFEFB4B99B15.NASL description Rack developers report : Today we are proud to announce the release of Rack 1.4.5. Fix CVE-2013-0263, timing attack against Rack::Session::Cookie Fix CVE-2013-0262, symlink path traversal in Rack::File last seen 2020-06-01 modified 2020-06-02 plugin id 64668 published 2013-02-18 reporter This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64668 title FreeBSD : Ruby Rack Gem -- Multiple Issues (fcfdabb7-f14d-4e61-a7d5-cfefb4b99b15) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201405-10.NASL description The remote host is affected by the vulnerability described in GLSA-201405-10 (Rack: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Rack. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or obtain sensitive information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 74053 published 2014-05-19 reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74053 title GLSA-201405-10 : Rack: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-152.NASL description The Ruby on Rails 2.3 stack was updated to 2.3.17. The Ruby on Rails 3.2 stack was updated to 3.2.12. The Ruby Rack was updated to 1.1.6. The Ruby Rack was updated to 1.2.8. The Ruby Rack was updated to 1.3.10. The Ruby Rack was updated to 1.4.5. The updates fix various security issues and bugs. - update to version 2.3.17 (bnc#803336, bnc#803339) CVE-2013-0276 CVE-2013-0277 : - update to version 3.2.12 (bnc#803336) CVE-2013-0276 : - update to version 3.2.12 (bnc#803336) CVE-2013-0276: issue with attr_protected where malformed input could circumvent protection - update to version 2.3.17 (bnc#803336, bnc#803339) CVE-2013-0276 CVE-2013-0277 : - Fix issue with attr_protected where malformed input could circumvent protection - Fix Serialized Attributes YAML Vulnerability - update to version 2.3.17 (bnc#803336, bnc#803339) CVE-2013-0276 CVE-2013-0277 : - Fix issue with attr_protected where malformed input could circumvent protection - Fix Serialized Attributes YAML Vulnerability - update to version 3.2.12 (bnc#803336) CVE-2013-0276 : - Quote numeric values being compared to non-numeric columns. Otherwise, in some database, the string column values will be coerced to a numeric allowing 0, 0.0 or false to match any string starting with a non-digit. - update to 1.1.6 (bnc#802794) - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie - update to 1.2.8 (bnc#802794) - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie - update to 1.3.10 (bnc#802794) - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie - ruby rack update to 1.4.5 (bnc#802794 bnc#802795) - Fix CVE-2013-0263, timing attack against Rack::Session::Cookie - Fix CVE-2013-0262, symlink path traversal in Rack::File - ruby rack update to 1.4.4 (bnc#798452) - [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings (CVE-2013-0184) - ruby rack changes from 1.4.3 - Security: Prevent unbounded reads in large multipart boundaries (CVE-2013-0183) - ruby rack changes from 1.4.2 (CVE-2012-6109) - Add warnings when users do not provide a session secret - Fix parsing performance for unquoted filenames - Updated URI backports - Fix URI backport version matching, and silence constant warnings - Correct parameter parsing with empty values - Correct rackup last seen 2020-06-05 modified 2014-06-13 plugin id 74900 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74900 title openSUSE Security Update : RubyOnRails (openSUSE-SU-2013:0338-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0638.NASL description Red Hat OpenShift Enterprise 1.1.2, which fixes several security issues, is now available. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS) solution from Red Hat, and is designed for on-premise or private cloud deployments. A flaw was found in the handling of paths provided to ruby193-rubygem-rack. A remote attacker could use this flaw to conduct a directory traversal attack by passing malformed requests. (CVE-2013-0262) A timing attack flaw was found in the way rubygem-rack and ruby193-rubygem-rack processed HMAC digests in cookies. This flaw could aid an attacker using forged digital signatures to bypass authentication checks. (CVE-2013-0263) It was found that Jenkins did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into Jenkins, into visiting a specially crafted URL, the attacker could perform operations on Jenkins. (CVE-2013-0327, CVE-2013-0329) A cross-site scripting (XSS) flaw was found in Jenkins. A remote attacker could use this flaw to conduct an XSS attack against users of Jenkins. (CVE-2013-0328) A flaw could allow a Jenkins user to build jobs they do not have access to. (CVE-2013-0330) A flaw could allow a Jenkins user to cause a denial of service if they are able to supply a specially crafted payload. (CVE-2013-0331) Users are advised to upgrade to Red Hat OpenShift Enterprise 1.1.2. It is recommended that you restart your system after applying this update. last seen 2020-06-10 modified 2018-12-06 plugin id 119433 published 2018-12-06 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119433 title RHEL 6 : openshift (RHSA-2013:0638) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2783.NASL description Several vulnerabilities were discovered in Rack, a modular Ruby webserver interface. The Common Vulnerabilites and Exposures project identifies the following vulnerabilities : - CVE-2011-5036 Rack computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. - CVE-2013-0183 A remote attacker could cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet. - CVE-2013-0184 A vulnerability in Rack::Auth::AbstractRequest allows remote attackers to cause a denial of service via unknown vectors. - CVE-2013-0263 Rack::Session::Cookie allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time. last seen 2020-03-17 modified 2013-10-22 plugin id 70534 published 2013-10-22 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/70534 title Debian DSA-2783-1 : librack-ruby - several vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2013-2306.NASL description Patch for - path sanitization information disclosure (CVE-2013-0262) - timing attack in cookie sessions (CVE-2013-0263) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-05-08 plugin id 66339 published 2013-05-08 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66339 title Fedora 18 : rubygem-rack-1.4.0-5.fc18 (2013-2306)
Redhat
| advisories |
| ||||
| rpms |
|
References
- https://gist.github.com/codahale/f9f3781f7b54985bee94
- https://bugzilla.redhat.com/show_bug.cgi?id=909071
- http://secunia.com/advisories/52134
- https://groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J
- http://rack.github.com/
- http://www.osvdb.org/89939
- https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
- https://twitter.com/coda/statuses/299732877745197056
- https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
- http://secunia.com/advisories/52033
- http://secunia.com/advisories/52774
- http://rhn.redhat.com/errata/RHSA-2013-0686.html
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
- http://www.debian.org/security/2013/dsa-2783
- https://puppet.com/security/cve/cve-2013-0263
- https://groups.google.com/forum/#%21msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ
- https://groups.google.com/forum/#%21msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ
- https://groups.google.com/forum/#%21msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ
- https://groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ