#VU55489 Improper Certificate Validation in Ruby


Published: 2021-08-02

Vulnerability identifier: #VU55489

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-32066

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ruby
Universal components / Libraries / Scripting languages

Vendor: Ruby

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists in Net::IMAP in Ruby, due to the gem does not raise an exception when StartTLS fails with an an unknown response. A remote attacker can perform a man-in-the-middle (MitM) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Ruby: 2.6.0 - 3.0.1

External links
http://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a
http://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
http://hackerone.com/reports/1178562

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for Ruby
Multiple vulnerabilities in Dell VxRail Appliance components
SUSE update for ruby
Multiple vulnerabilities in DELL Secure Connect Gateway Security
SUSE update for ruby2.5
Multiple vulnerabilities in JD Edwards EnterpriseOne Tools
Red Hat Software Collections update for rh-ruby26-ruby
Red Hat Enterprise Linux 8 update for the ruby:2.5 module
Red Hat Enterprise Linux 8.2 update for the ruby:2.6 module
Red Hat Enterprise Linux 8.1 update for the ruby:2.6 module