CVE-2015-1855: Ruby OpenSSL Hostname Verification

Posted by zzak on 13 Apr 2015

Ruby’s OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames, which can lead to similar bugs such as CVE-2014-1492. Similar issues were found in Python.

This vulnerability has been assigned the CVE identifier CVE-2015-1855.

We strongly recommend you upgrade Ruby.

Details

After reviewing RFC 6125 and RFC 5280, we found multiple violations of matching hostnames and particularly wildcard certificates.

Ruby’s OpenSSL extension will now provide a string-based matching algorithm which follows more strict behavior, as recommended by these RFCs. In particular, matching of more than one wildcard per subject/SAN is no-longer allowed. As well, comparison of these values is now case-insensitive.

This change will affect Ruby’s OpenSSL::SSL#verify_certificate_identity behavior.

Specifically:

• Only one wildcard character in the left-most part of the hostname is allowed.
• IDNA names can now only be matched by a simple wildcard (e.g. ‘*.domain’).
• Subject/SAN should be limited to ASCII characters only.

All users running an affected release should upgrade immediately.

Affected versions

• All Ruby 2.0 versions prior to Ruby 2.0.0 patchlevel 645
• All Ruby 2.1 versions prior to Ruby 2.1.6
• All Ruby 2.2 versions prior to Ruby 2.2.2
• prior to trunk revision 50292

Credits

Thanks to Tony Arcieri, Jeffrey Walton, and Steffan Ullrich for reporting this issue. Originally reported as Bug #9644, and patches submitted by Tony Arcieri and Hiroshi Nakamura.

History

• Originally published at 2015-04-13 12:00:00 (UTC)