Add advisory for SMTP injection vulnerability in mail <2.6.0 #215
Comments
|
I did a git bisect using a test case I received from the author, and if I'm understanding the issue correctly, I think mikel/mail@72befdc fixed it. Let me confer with the paper author to make sure I'm seeing the right thing. |
|
He confirms it's that rev. If the unfold method is commented out, the problem returns. |
|
The paper author has informed me "BTW, while investigating the source code of Mail, I came to think the fault might be more on Net::SMTP's side. It is difficult to say who is responsible for it, Net::SMTP, Mail or application developers (library users) though." 'mail' guys... thoughts on this? In any case, should add a test to 'mail' to ensure this doesn't pop up again. :) |
|
Always learning something new, thx. |
|
Request made to MITRE (and also posted to oss-security@) for a CVE. Also requested an ID from OSVDB. Sucks we have to wait for one of them before getting this advisory published. |
|
First we've heard of this for the mail lib. Forwarded to security@ruby-lang.org, too. |
|
@reedloden how the heck did you find this? Do you know if the author tried to contact anyone before publishing? |
|
@bf4 The paper was posted on r/netsec. It was indirectly mentioned in an advisory for PHPMailer as well. I'm in contact with the author, so I will ask him, but I suspect not for Ruby at least, as the issue had been fixed already (though not on purpose, it seems). |
|
It was originally posted to the WebAppSec mailing list on 2015-12-09. |
|
The mail 2.6.x fix is a coincidence. Even if it was intentional, it wouldn't be a sufficient fix for the underlying SMTP injection vuln. The referenced paper discusses this a bit: crafting otherwise-legal FWS to inject & exploit specific MTAs. Furthermore, the fix is a side effect of incorrect behavior. Fixing that behavior in the mail lib would inadvertently re-expose the underlying SMTPi vuln that had been coincidentally masked. No good. To rule out this risk, we need input validation in stdlib net/smtp. |
|
Is there a bug filed with ruby upstream to add that validation so that this On Tuesday, April 5, 2016, Jeremy Daer notifications@github.com wrote:
|
|
@reedloden Yep, filed 2015-12-11. |
|
@jeremy Link to bug report just so I can track it? |
|
@reedloden not public; reported to security@ruby-lang.org. |
|
HackerOne report and fix: https://hackerone.com/reports/137631 Resolved in Ruby 2.4.0 release by ruby/ruby@0827a7e |
|
2.5.5.rc1 and 2.6.6.rc1 gems released with SMTP address validation: mikel/mail#1097 |
|
@jeremy hey! Do we need to update anything re: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mail/OSVDB-131677.yml ? I'm thinking re: the patched or fixed versions. (Aside from adding better context of course. We could add links, and or move off OSVDB if there's a CVE for it…) Thanks! |
|
Hey @phillmv! Could just bump Vulnerable:
Non vulnerable:
Not sure how this best maps to advisories. |
|
We should split this into two advisories: one for the Mail gem not doing output validation and another for Ruby SMTP allowing CRLF injection. I requested a CVE for the Ruby vuln. @reedloden requested back in 2015 as well, so we may have a dupe or that may apply to the Mail lib only. |
|
I'm fine with the most basic "your ass is covered" version range, and thank you for confirming. I approved the PR and added some useful context: 01c549e If you think it's more accurate to have a 2nd advisory that's fine by me. |
|
PR for Ruby vuln, pending CVE assignment: #293 |
|
CVE-2015-9096 (Ruby) and CVE-2015-9097 (Mail) assigned. #293 updated. |
|
Woot! Thanks! |
Need an advisory for the mail vulnerability discussed in http://www.mbsd.jp/Whitepaper/smtpi.pdf (section 3.1)
Affects <2.6.0
The text was updated successfully, but these errors were encountered: