Bug 27976 - ruby-em-http-request new security issue CVE-2020-13482
Summary: ruby-em-http-request new security issue CVE-2020-13482
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-12-29 11:49 CET by Zombie Ryushu
Modified: 2021-04-02 22:26 CEST (History)
6 users (show)

See Also:
Source RPM: ruby-em-http-request-1.1.5-5.mga8.src.rpm
CVE: CVE-2020-13482
Status comment:


Attachments
Sample client for the upstream reproducer (559 bytes, application/x-ruby)
2021-04-02 01:05 CEST, Len Lawrence
Details
Sample client for the upstream reproducer (545 bytes, text/plain)
2021-04-02 01:12 CEST, Len Lawrence
Details

Description Zombie Ryushu 2020-12-29 11:49:46 CET
EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.
Zombie Ryushu 2020-12-29 11:50:50 CET

Source RPM: ruby-em-http-request => ruby-em-http-request-1.1.5-5.mga8.src.rpm
CVE: (none) => CVE-2020-13482

Comment 1 Nicolas Lécureuil 2020-12-29 12:29:41 CET
version 1.1.6 pushed in cauldron

Resolution: (none) => FIXED
Status: NEW => RESOLVED
CC: (none) => mageia

Comment 2 Zombie Ryushu 2020-12-29 12:33:49 CET
Some of these bugs may apply to Mageia 7.
David Walser 2020-12-29 17:16:40 CET

Resolution: FIXED => (none)
Status comment: (none) => Fixed upstream in 1.1.6
Status: RESOLVED => REOPENED
Version: Cauldron => 7

David Walser 2020-12-29 17:16:53 CET

Summary: ruby-em-http-request security issue CVE-2020-13482 => ruby-em-http-request new security issue CVE-2020-13482

Comment 3 Aurelien Oudelet 2020-12-29 21:16:20 CET
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => ouaurelien
Assignee: bugsquad => pkg-bugs

Comment 5 Nicolas Lécureuil 2021-01-13 21:19:05 CET
Freeze push asked
David Walser 2021-01-13 22:30:31 CET

Whiteboard: (none) => MGA7TOO

Comment 6 Nicolas Lécureuil 2021-01-14 12:45:02 CET
available on cauldron

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 7 Nicolas Lécureuil 2021-03-25 22:31:05 CET
new version pushed in mga7:

src:
    - ruby-em-http-request-1.1.7-1.mga7

Status comment: Fixed upstream in 1.1.6 => (none)
Assignee: pkg-bugs => qa-bugs

Comment 8 David Walser 2021-03-26 20:55:33 CET
Package list:
ruby-em-http-request-1.1.7-1.mga7
ruby-em-http-request-doc-1.1.7-1.mga7
Comment 9 David Walser 2021-03-26 21:09:06 CET
Advisory:
========================

Updated ruby-em-http-request packages fix security vulnerability:

A flaw was found in rubygem-em-http-request. The eventmachine library does not
verify the hostname in a TLS server certificate which can allow an attacker to
perform a man-in-the-middle attack. The highest threat from this vulnerability
is to data confidentiality and integrity (CVE-2020-13482).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13482
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z32PUJA6RGBZ3TKSOTGUXZ45662S3MVF/
Comment 10 Len Lawrence 2021-04-01 19:06:32 CEST
mga7, x86_64

CVE-2020-13482
https://github.com/igrigorik/em-http-request/issues/339
$ gem list | grep eventmachine
eventmachine (1.2.7)
Installed the package, which pulled in the bundled eventmachine gem.  Problems ahead?
$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
Generating a RSA private key
....

Copied the simple client script and found that it failed to run.
$ ruby client.rb "https://test.coinbase.com"
Traceback (most recent call last):
	2: from client.rb:4:in `<main>'
	1: from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:92:in `require'
/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:92:in `require': cannot load such file -- em-http (LoadError)
$ sudo updatedb
$ locate em-http.rb
$ locate em-http-request.rb
Those turned up nothing.

/usr/share/gems/gems/em-http-request-1.1.5/lib/em-http.rb exists so worth a shot.  There is also an em-http-request.rb file in the same directory.
Tried the full path name but same result.
Any idea what I should try next?  It does not look like permissions problems (dirs 755, files 644).
Script header is:
#!/usr/bin/ruby -W0
require 'rubygems'

require 'eventmachine'
require '/usr/share/gems/gems/em-http-request-1.1.5/lib/em-http'

CC: (none) => tarazed25

Len Lawrence 2021-04-01 19:09:51 CEST

Keywords: (none) => feedback

Comment 11 Len Lawrence 2021-04-02 00:59:34 CEST
Follow on from comment 10.
Out of curiosity I tried out the procedure on Mageia 8 with the release 1.7 version and had no problem running the sample client, which worked as expected then threw an error on connection close.  Probably to be expected as this is not a real case.  No need to specify the full path either.

Shall try another mga7 installation and make sure that eventmachine is not already installed.  Some conflict between bundled and gem install is the only thing I can think of.
Comment 12 Len Lawrence 2021-04-02 01:05:48 CEST
Created attachment 12556 [details]
Sample client for the upstream reproducer

CVE-2020-13482
Comment 13 Len Lawrence 2021-04-02 01:12:57 CEST
Created attachment 12557 [details]
Sample client for the upstream reproducer

Fixed the error at CONNECTION CLOSED.

Attachment 12556 is obsolete: 0 => 1

Comment 14 Dave Hodgins 2021-04-02 06:19:41 CEST
(In reply to Len Lawrence from comment #10)
> mga7, x86_64
> /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:92:in `require':
> cannot load such file -- em-http (LoadError)
> $ sudo updatedb
> $ locate em-http.rb
> $ locate em-http-request.rb
> Those turned up nothing.

# urpmf em-http.rb
ruby-em-http-request:/usr/share/gems/gems/em-http-request-1.1.5/lib/em-http.rb
ruby-em-http-request:/usr/share/gems/gems/em-http-request-1.1.7/lib/em-http.rb

Keywords: feedback => (none)
CC: (none) => davidwhodgins

Comment 15 Len Lawrence 2021-04-02 08:49:37 CEST
Thanks Dave.  After clearing the decks and starting again I was able to run the sample client.  However the server no longer runs, even after restarting the certificate generation process.

New cert.pem and key.pem in place.
$ openssl s_server -key key.pem -cert cert.pem -accept 443
Using default temp DH parameters
ACCEPT
139860239832896:error:0200600D:system library:bind:Permission denied:crypto/bio/b_sock2.c:220:
139860239832896:error:2008B075:BIO routines:BIO_listen:unable to bind socket:crypto/bio/b_sock2.c:221:
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   0 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   0 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)
$
However, if run by root it works:
# openssl s_server -key key.pem -cert cert.pem -accept 443
Using default temp DH parameters
ACCEPT

$ ruby client.rb "https://test.coinbase.com"
https://test.coinbase.com
Errno::ETIMEDOUT

The server reports:
 -----BEGIN SSL SESSION PARAMETERS-----
[...]
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-ECDSA-AES256-...................
SHA256:AES128-SHA
Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224
Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves: X25519:P-256:P-521:P-384
Shared Elliptic curves: X25519:P-256:P-521:P-384
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
GET / HTTP/1.1
Connection: close
Host: test.coinbase.com
User-Agent: EventMachine HttpClient
Accept-Encoding: gzip, compressed

ERROR
shutting down SSL
CONNECTION CLOSED
ACCEPT

So, it looks like it is working although I do not know what to expect at this stage.  Shall see how it looks after the update.
Comment 16 Len Lawrence 2021-04-02 09:05:14 CEST
After the update root restarted the openssl server and user ran the sample client, with the same result.
$ ruby client.rb "https://test.coinbase.com"
https://test.coinbase.com
Errno::ETIMEDOUT

From the server:
ERROR
shutting down SSL
CONNECTION CLOSED
ACCEPT

If this is the expected result then this update can be sent on its way.
Although this test is for a reproducer it does exercize the event machine and http request side of things.

Awaiting further advice.
Comment 17 Len Lawrence 2021-04-02 09:14:23 CEST
And, /etc/hosts does have the fake DNS entry:
127.0.0.1 test.coinbase.com
Comment 18 Len Lawrence 2021-04-02 09:49:52 CEST
Closer inspection of the server output confirms that the before and after outputs are the same and match the upstream report as far as it goes, which seems to indicate that the vulnerability might have been fixed already in version 1.5.

My understanding is that the server ERROR message shows that the host validation check succeeds in exposing the fake site.
Len Lawrence 2021-04-02 12:18:32 CEST

Whiteboard: (none) => MGA7-64-OK

Comment 19 Thomas Andrews 2021-04-02 17:04:02 CEST
Your persistance is appreciated, Len. Validating. Advisory in Comment 9.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2021-04-02 21:20:57 CEST

Keywords: (none) => advisory

Comment 20 Mageia Robot 2021-04-02 22:26:42 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0172.html

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.