Vulnerabilities > CVE-2015-3900 - 7PK - Security Features vulnerability in multiple products

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

Vulnerable Configurations

Part	Description	Count
Application	Ruby-Lang Ruby Lang Ruby 2.0.0 Ruby Lang Ruby 2.2.0 Ruby Lang Ruby 2.1.4 Ruby Lang Ruby 2.1.3 Ruby Lang Ruby 2.1.1 Ruby Lang Ruby 1.9.2 Ruby Lang Ruby 1.9.1 Ruby Lang Ruby 1.9.3 Ruby Lang Ruby 1.9 Ruby Lang Ruby 2.1.2 Ruby Lang Ruby 2.1 Ruby Lang Ruby 2.1.5	12
Application	Rubygems Rubygems Rubygems 2.4.3 Rubygems Rubygems 2.2.1 Rubygems Rubygems 2.2.2 Rubygems Rubygems 2.0.13 Rubygems Rubygems 2.0.6 Rubygems Rubygems 2.0.15 Rubygems Rubygems 2.0.5 Rubygems Rubygems 2.0.4 Rubygems Rubygems 2.2.0 Rubygems Rubygems 2.4.5 Rubygems Rubygems 2.4.2 Rubygems Rubygems 2.0.10 Rubygems Rubygems 2.0.14 Rubygems Rubygems 2.4.4 Rubygems Rubygems 2.0.3 Rubygems Rubygems 2.4.0 Rubygems Rubygems 2.0.11 Rubygems Rubygems 2.4.6 Rubygems Rubygems 2.0.0 Rubygems Rubygems 2.2.3 Rubygems Rubygems 2.0.9 Rubygems Rubygems 2.4.1 Rubygems Rubygems 2.0.2 Rubygems Rubygems 2.0.12 Rubygems Rubygems 2.0.7 Rubygems Rubygems 2.0.1 Rubygems Rubygems 2.0.8	27
OS	Oracle Oracle Solaris 11.3	1
OS	Redhat Redhat Enterprise Linux 7.0 Redhat Enterprise Linux 6.0	2

Common Weakness Enumeration (CWE)

CWE-254 - 7PK - Security Features

Nessus

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2017-1067-1.NASL
description	This ruby2.1 update to version 2.1.9 fixes the following issues: Security issues fixed : - CVE-2016-2339: heap overflow vulnerability in the Fiddle::Function.new
last seen	2020-06-01
modified	2020-06-02
plugin id	99578
published	2017-04-21
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/99578
title	SUSE SLED12 / SLES12 Security Update : ruby2.1 (SUSE-SU-2017:1067-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2017:1067-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(99578); script_version("3.7"); script_cvs_date("Date: 2019/09/11 11:22:15"); script_cve_id("CVE-2014-4975", "CVE-2015-1855", "CVE-2015-3900", "CVE-2015-7551", "CVE-2016-2339"); script_bugtraq_id(68474, 74446, 75482); script_name(english:"SUSE SLED12 / SLES12 Security Update : ruby2.1 (SUSE-SU-2017:1067-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This ruby2.1 update to version 2.1.9 fixes the following issues: Security issues fixed : - CVE-2016-2339: heap overflow vulnerability in the Fiddle::Function.new'initialize' (bsc#1018808) - CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL (bsc#959495) - CVE-2015-3900: hostname validation does not work when fetching gems or making API requests (bsc#936032) - CVE-2015-1855: Ruby'a OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames (bsc#926974) - CVE-2014-4975: off-by-one stack-based buffer overflow in the encodes() function (bsc#887877) Bugfixes : - SUSEconnect doesn't handle domain wildcards in no_proxy environment variable properly (bsc#1014863) - Segmentation fault after pack & ioctl & unpack (bsc#909695) - Ruby:HTTP Header injection in 'net/http' (bsc#986630) ChangeLog : - http://svn.ruby-lang.org/repos/ruby/tags/v2_1_9/ChangeLog Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"http://svn.ruby-lang.org/repos/ruby/tags/v2_1_9/ChangeLog" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1014863" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1018808" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=887877" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=909695" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=926974" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=936032" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=959495" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=986630" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-4975/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-1855/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-3900/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-7551/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-2339/" ); # https://www.suse.com/support/update/announcement/2017/suse-su-20171067-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b050ba23" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-624=1 SUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t patch SUSE-SLE-SDK-12-SP1-2017-624=1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-624=1 SUSE Linux Enterprise Server 12-SP2:zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-624=1 SUSE Linux Enterprise Server 12-SP1:zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-624=1 SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-624=1 SUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2017-624=1 OpenStack Cloud Magnum Orchestration 7:zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-624=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libruby2_1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libruby2_1-2_1-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ruby2.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ruby2.1-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ruby2.1-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ruby2.1-stdlib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ruby2.1-stdlib-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/11/15"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/21"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release !~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S\|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12\|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(1\|2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP1/2", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(1\|2)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP1/2", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"1", reference:"libruby2_1-2_1-2.1.9-15.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libruby2_1-2_1-debuginfo-2.1.9-15.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"ruby2.1-2.1.9-15.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"ruby2.1-debuginfo-2.1.9-15.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"ruby2.1-debugsource-2.1.9-15.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"ruby2.1-stdlib-2.1.9-15.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"ruby2.1-stdlib-debuginfo-2.1.9-15.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libruby2_1-2_1-2.1.9-15.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libruby2_1-2_1-debuginfo-2.1.9-15.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"ruby2.1-2.1.9-15.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"ruby2.1-debuginfo-2.1.9-15.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"ruby2.1-debugsource-2.1.9-15.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"ruby2.1-stdlib-2.1.9-15.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"ruby2.1-stdlib-debuginfo-2.1.9-15.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libruby2_1-2_1-2.1.9-15.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libruby2_1-2_1-debuginfo-2.1.9-15.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"ruby2.1-2.1.9-15.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"ruby2.1-debuginfo-2.1.9-15.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"ruby2.1-debugsource-2.1.9-15.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"ruby2.1-stdlib-2.1.9-15.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"ruby2.1-stdlib-debuginfo-2.1.9-15.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libruby2_1-2_1-2.1.9-15.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libruby2_1-2_1-debuginfo-2.1.9-15.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"ruby2.1-2.1.9-15.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"ruby2.1-debuginfo-2.1.9-15.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"ruby2.1-debugsource-2.1.9-15.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"ruby2.1-stdlib-2.1.9-15.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"ruby2.1-stdlib-debuginfo-2.1.9-15.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby2.1"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2015-12501.NASL
description	Update to RubyGems 2.4.8. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2015-08-11
plugin id	85309
published	2015-08-11
reporter	This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/85309
title	Fedora 23 : rubygems-2.4.8-100.fc23 (2015-12501)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2015-12501. # include("compat.inc"); if (description) { script_id(85309); script_version("2.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-3900"); script_xref(name:"FEDORA", value:"2015-12501"); script_name(english:"Fedora 23 : rubygems-2.4.8-100.fc23 (2015-12501)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to RubyGems 2.4.8. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1236116" ); # https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3484cb87" ); script_set_attribute( attribute:"solution", value:"Update the affected rubygems package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:rubygems"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:23"); script_set_attribute(attribute:"patch_publication_date", value:"2015/07/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^23([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 23.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC23", reference:"rubygems-2.4.8-100.fc23")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rubygems"); }

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2017-1050.NASL
description	According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable heap overflow vulnerability exists in the Fiddle::Function.new
last seen	2020-05-06
modified	2017-05-01
plugin id	99895
published	2017-05-01
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/99895
title	EulerOS 2.0 SP1 : ruby (EulerOS-SA-2017-1050)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99895); script_version("1.15"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2015-3900", "CVE-2016-2337", "CVE-2016-2339" ); script_bugtraq_id( 75482 ); script_name(english:"EulerOS 2.0 SP1 : ruby (EulerOS-SA-2017-1050)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable heap overflow vulnerability exists in the Fiddle::Function.new 'initialize' function functionality of Ruby. In Fiddle::Function.new 'initialize' heap buffer 'arg_types' allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow.(CVE-2016-2339) - Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as 'retval' argument can cause arbitrary code execution.(CVE-2016-2337) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1050 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b233fe7d"); script_set_attribute(attribute:"solution", value: "Update the affected ruby packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ruby-irb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ruby-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-bigdecimal"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-io-console"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-psych"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-rdoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygems"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) \|\| release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D\|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) \|\| sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["ruby-2.0.0.353-23.h4", "ruby-irb-2.0.0.353-23.h4", "ruby-libs-2.0.0.353-23.h4", "rubygem-bigdecimal-1.2.0-23.h4", "rubygem-io-console-0.4.2-23.h4", "rubygem-json-1.7.7-23.h4", "rubygem-psych-2.0.0-23.h4", "rubygem-rdoc-4.0.0-23.h4", "rubygems-2.0.14-23.h4"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby"); }

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2017-1051.NASL
description	According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable heap overflow vulnerability exists in the Fiddle::Function.new
last seen	2020-05-06
modified	2017-05-01
plugin id	99896
published	2017-05-01
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/99896
title	EulerOS 2.0 SP2 : ruby (EulerOS-SA-2017-1051)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99896); script_version("1.15"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2015-3900", "CVE-2016-2337", "CVE-2016-2339" ); script_bugtraq_id( 75482 ); script_name(english:"EulerOS 2.0 SP2 : ruby (EulerOS-SA-2017-1051)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable heap overflow vulnerability exists in the Fiddle::Function.new 'initialize' function functionality of Ruby. In Fiddle::Function.new 'initialize' heap buffer 'arg_types' allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow.(CVE-2016-2339) - Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as 'retval' argument can cause arbitrary code execution.(CVE-2016-2337) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1051 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d7ccee39"); script_set_attribute(attribute:"solution", value: "Update the affected ruby packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ruby-irb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ruby-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-bigdecimal"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-io-console"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-psych"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygem-rdoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:rubygems"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) \|\| release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D\|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) \|\| sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["ruby-2.0.0.598-25.h3", "ruby-irb-2.0.0.598-25.h3", "ruby-libs-2.0.0.598-25.h3", "rubygem-bigdecimal-1.2.0-25.h3", "rubygem-io-console-0.4.2-25.h3", "rubygem-json-1.7.7-25.h3", "rubygem-psych-2.0.0-25.h3", "rubygem-rdoc-4.0.0-25.h3", "rubygems-2.0.14-25.h3"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby"); }

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_A0089E18FC9E11E4BC58001E67150279.NASL
description	Jonathan Claudius reports : RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specifically a SRV record _rubygems._tcp under the original requested domain. RubyGems did not validate the hostname returned in the SRV record before sending requests to it. This left clients open to a DNS hijack attack, whereby an attacker could return a SRV of their choosing and get the client to use it.
last seen	2020-06-01
modified	2020-06-02
plugin id	83513
published	2015-05-18
reporter	This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/83513
title	FreeBSD : rubygems -- request hijacking vulnerability (a0089e18-fc9e-11e4-bc58-001e67150279)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(83513); script_version("2.4"); script_cvs_date("Date: 2018/11/10 11:49:44"); script_cve_id("CVE-2015-3900"); script_name(english:"FreeBSD : rubygems -- request hijacking vulnerability (a0089e18-fc9e-11e4-bc58-001e67150279)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Jonathan Claudius reports : RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specifically a SRV record _rubygems._tcp under the original requested domain. RubyGems did not validate the hostname returned in the SRV record before sending requests to it. This left clients open to a DNS hijack attack, whereby an attacker could return a SRV of their choosing and get the client to use it." ); script_set_attribute( attribute:"see_also", value:"https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200264" ); script_set_attribute( attribute:"see_also", value:"http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html" ); # https://vuxml.freebsd.org/freebsd/a0089e18-fc9e-11e4-bc58-001e67150279.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a870b517" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ruby20-gems"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ruby21-gems"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ruby22-gems"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/05/14"); script_set_attribute(attribute:"patch_publication_date", value:"2015/05/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"ruby20-gems<2.4.7")) flag++; if (pkg_test(save_report:TRUE, pkg:"ruby21-gems<2.4.7")) flag++; if (pkg_test(save_report:TRUE, pkg:"ruby22-gems<2.4.7")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2015-13157.NASL
description	Update to RubyGems 2.2.5. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2015-08-20
plugin id	85553
published	2015-08-20
reporter	This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/85553
title	Fedora 21 : rubygems-2.2.5-100.fc21 (2015-13157)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2015-13157. # include("compat.inc"); if (description) { script_id(85553); script_version("2.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-3900"); script_xref(name:"FEDORA", value:"2015-13157"); script_name(english:"Fedora 21 : rubygems-2.2.5-100.fc21 (2015-13157)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to RubyGems 2.2.5. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1236116" ); # https://lists.fedoraproject.org/pipermail/package-announce/2015-August/164236.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?40313ff4" ); script_set_attribute( attribute:"solution", value:"Update the affected rubygems package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:rubygems"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:21"); script_set_attribute(attribute:"patch_publication_date", value:"2015/08/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^21([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 21.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC21", reference:"rubygems-2.2.5-100.fc21")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rubygems"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2015-12574.NASL
description	Update to RubyGems 2.4.8. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2015-08-11
plugin id	85312
published	2015-08-11
reporter	This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/85312
title	Fedora 22 : rubygems-2.4.8-100.fc22 (2015-12574)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2015-12574. # include("compat.inc"); if (description) { script_id(85312); script_version("2.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-3900"); script_xref(name:"FEDORA", value:"2015-12574"); script_name(english:"Fedora 22 : rubygems-2.4.8-100.fc22 (2015-12574)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to RubyGems 2.4.8. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1236116" ); # https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e9aedd58" ); script_set_attribute( attribute:"solution", value:"Update the affected rubygems package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:rubygems"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22"); script_set_attribute(attribute:"patch_publication_date", value:"2015/08/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^22([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC22", reference:"rubygems-2.4.8-100.fc22")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rubygems"); }

NASL family	Amazon Linux Local Security Checks
NASL id	ALA_ALAS-2015-547.NASL
description	RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record _rubygems._tcp under the original requested domain. RubyGems did not validate the hostname returned in the SRV record before sending requests to it. (CVE-2015-3900) As discussed upstream, CVE-2015-4020 is due to an incomplete fix for CVE-2015-3900 , which allowed redirection to an arbitrary gem server in any security domain.
last seen	2020-06-01
modified	2020-06-02
plugin id	84248
published	2015-06-18
reporter	This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/84248
title	Amazon Linux AMI : ruby20 (ALAS-2015-547)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2015-547. # include("compat.inc"); if (description) { script_id(84248); script_version("2.3"); script_cvs_date("Date: 2018/04/18 15:09:35"); script_cve_id("CVE-2015-3900", "CVE-2015-4020"); script_xref(name:"ALAS", value:"2015-547"); script_name(english:"Amazon Linux AMI : ruby20 (ALAS-2015-547)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record _rubygems._tcp under the original requested domain. RubyGems did not validate the hostname returned in the SRV record before sending requests to it. (CVE-2015-3900) As discussed upstream, CVE-2015-4020 is due to an incomplete fix for CVE-2015-3900 , which allowed redirection to an arbitrary gem server in any security domain." ); # https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3dfa3e8c" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2015-547.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update ruby20' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby20"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby20-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby20-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby20-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby20-irb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby20-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygem20-bigdecimal"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygem20-io-console"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygem20-psych"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygems20"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygems20-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2015/06/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) \|\| !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A\|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"ruby20-2.0.0.645-1.27.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"ruby20-debuginfo-2.0.0.645-1.27.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"ruby20-devel-2.0.0.645-1.27.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"ruby20-doc-2.0.0.645-1.27.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"ruby20-irb-2.0.0.645-1.27.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"ruby20-libs-2.0.0.645-1.27.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"rubygem20-bigdecimal-1.2.0-1.27.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"rubygem20-io-console-0.4.2-1.27.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"rubygem20-psych-2.0.0-1.27.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"rubygems20-2.0.14-1.27.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"rubygems20-devel-2.0.14-1.27.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby20 / ruby20-debuginfo / ruby20-devel / ruby20-doc / ruby20-irb / etc"); }

NASL family	Amazon Linux Local Security Checks
NASL id	ALA_ALAS-2015-548.NASL
description	RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record _rubygems._tcp under the original requested domain. RubyGems did not validate the hostname returned in the SRV record before sending requests to it. (CVE-2015-3900) As discussed upstream, CVE-2015-4020 is due to an incomplete fix for CVE-2015-3900 , which allowed redirection to an arbitrary gem server in any security domain.
last seen	2020-06-01
modified	2020-06-02
plugin id	84249
published	2015-06-18
reporter	This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/84249
title	Amazon Linux AMI : ruby21 (ALAS-2015-548)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2015-548. # include("compat.inc"); if (description) { script_id(84249); script_version("2.3"); script_cvs_date("Date: 2018/04/18 15:09:35"); script_cve_id("CVE-2015-3900", "CVE-2015-4020"); script_xref(name:"ALAS", value:"2015-548"); script_name(english:"Amazon Linux AMI : ruby21 (ALAS-2015-548)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record _rubygems._tcp under the original requested domain. RubyGems did not validate the hostname returned in the SRV record before sending requests to it. (CVE-2015-3900) As discussed upstream, CVE-2015-4020 is due to an incomplete fix for CVE-2015-3900 , which allowed redirection to an arbitrary gem server in any security domain." ); # https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3dfa3e8c" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2015-548.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update ruby21' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby21"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby21-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby21-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby21-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby21-irb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ruby21-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygem21-bigdecimal"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygem21-io-console"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygem21-psych"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygems21"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:rubygems21-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2015/06/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) \|\| !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A\|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"ruby21-2.1.6-1.17.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"ruby21-debuginfo-2.1.6-1.17.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"ruby21-devel-2.1.6-1.17.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"ruby21-doc-2.1.6-1.17.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"ruby21-irb-2.1.6-1.17.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"ruby21-libs-2.1.6-1.17.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"rubygem21-bigdecimal-1.2.4-1.17.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"rubygem21-io-console-0.4.3-1.17.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"rubygem21-psych-2.0.5-1.17.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"rubygems21-2.2.3-1.17.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"rubygems21-devel-2.2.3-1.17.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby21 / ruby21-debuginfo / ruby21-devel / ruby21-doc / ruby21-irb / etc"); }

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2017-527.NASL
description	This ruby2.1 update to version 2.1.9 fixes the following issues : Security issues fixed : - CVE-2016-2339: heap overflow vulnerability in the Fiddle::Function.new
last seen	2020-06-05
modified	2017-05-01
plugin id	99753
published	2017-05-01
reporter	This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/99753
title	openSUSE Security Update : ruby2.1 (openSUSE-2017-527)

NASL family	Amazon Linux Local Security Checks
NASL id	ALA_ALAS-2015-549.NASL
description	RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record _rubygems._tcp under the original requested domain. RubyGems did not validate the hostname returned in the SRV record before sending requests to it. (CVE-2015-3900) As discussed upstream, CVE-2015-4020 is due to an incomplete fix for CVE-2015-3900 , which allowed redirection to an arbitrary gem server in any security domain.
last seen	2020-06-01
modified	2020-06-02
plugin id	84250
published	2015-06-18
reporter	This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/84250
title	Amazon Linux AMI : ruby22 (ALAS-2015-549)

NASL family	CGI abuses
NASL id	PUPPET_ENTERPRISE_CVE_2015-4100.NASL
description	According to its self-reported version number, the Puppet Enterprise application running on the remote host is version 3.7.x or 3.8.x prior to 3.8.1. It it, therefore, affected by the following vulnerabilities : - A flaw exists in RubyGems due to a failure to validate hostnames when fetching gems or making API requests. A remote attacker, using a crafted DNS SRV record, can exploit this to redirect requests to arbitrary domains. (CVE-2015-3900) - A flaw exists in RubyGems due to a failure to sanitize DNS responses, which allows a man-in-the-middle attacker to install arbitrary applications. (CVE-2015-4020) - A flaw exists in Puppet Enterprise related to how certificates are managed, under certain vulnerable configurations, which allows a trusted certificate to be used to perform full certificate management. An attacker can exploit this flaw to revoke the certificates of other nodes or to approve their certificate requests. (CVE-2015-4100) Note that the default
last seen	2020-06-01
modified	2020-06-02
plugin id	84961
published	2015-07-23
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/84961
title	Puppet Enterprise 3.7.x < 3.8.1 / 3.8.x < 3.8.1 Multiple Vulnerabilities

Redhat

advisories

rhsa

id	RHSA-2015:1657

rpms

rh-ruby22-ruby-0:2.2.2-12.el6
rh-ruby22-ruby-0:2.2.2-12.el7
rh-ruby22-ruby-debuginfo-0:2.2.2-12.el6
rh-ruby22-ruby-debuginfo-0:2.2.2-12.el7
rh-ruby22-ruby-devel-0:2.2.2-12.el6
rh-ruby22-ruby-devel-0:2.2.2-12.el7
rh-ruby22-ruby-doc-0:2.2.2-12.el6
rh-ruby22-ruby-doc-0:2.2.2-12.el7
rh-ruby22-ruby-irb-0:2.2.2-12.el6
rh-ruby22-ruby-irb-0:2.2.2-12.el7
rh-ruby22-ruby-libs-0:2.2.2-12.el6
rh-ruby22-ruby-libs-0:2.2.2-12.el7
rh-ruby22-ruby-tcltk-0:2.2.2-12.el6
rh-ruby22-ruby-tcltk-0:2.2.2-12.el7
rh-ruby22-rubygem-bigdecimal-0:1.2.6-12.el6
rh-ruby22-rubygem-bigdecimal-0:1.2.6-12.el7
rh-ruby22-rubygem-io-console-0:0.4.3-12.el6
rh-ruby22-rubygem-io-console-0:0.4.3-12.el7
rh-ruby22-rubygem-json-0:1.8.1-12.el6
rh-ruby22-rubygem-json-0:1.8.1-12.el7
rh-ruby22-rubygem-minitest-0:5.4.3-12.el6
rh-ruby22-rubygem-minitest-0:5.4.3-12.el7
rh-ruby22-rubygem-power_assert-0:0.2.2-12.el6
rh-ruby22-rubygem-power_assert-0:0.2.2-12.el7
rh-ruby22-rubygem-psych-0:2.0.8-12.el6
rh-ruby22-rubygem-psych-0:2.0.8-12.el7
rh-ruby22-rubygem-rake-0:10.4.2-12.el6
rh-ruby22-rubygem-rake-0:10.4.2-12.el7
rh-ruby22-rubygem-rdoc-0:4.2.0-12.el6
rh-ruby22-rubygem-rdoc-0:4.2.0-12.el7
rh-ruby22-rubygem-test-unit-0:3.0.8-12.el6
rh-ruby22-rubygem-test-unit-0:3.0.8-12.el7
rh-ruby22-rubygems-0:2.4.5-12.el6
rh-ruby22-rubygems-0:2.4.5-12.el7
rh-ruby22-rubygems-devel-0:2.4.5-12.el6
rh-ruby22-rubygems-devel-0:2.4.5-12.el7

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Redhat

References