5.3 CVE-2024-41946

Patch

REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.
https://nvd.nist.gov/vuln/detail/CVE-2024-41946

Categories

CWE-400 : Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame. While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find resource exhaustion problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to handle resource exhaustion may be the cause. Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold. Ensure that protocols have specific limits of scale placed on them. Ensure that all failures in resource allocation place the system into a safe posture. Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190). Go-based workload orchestrator does not limit resource usage with unauthenticated connections, allowing a DoS by flooding the service Resource exhaustion in distributed OS because of "insufficient" IGMP queue management, as exploited in the wild per CISA KEV. Product allows attackers to cause a crash via a large number of connections. Malformed request triggers uncontrolled recursion, leading to stack exhaustion. Chain: memory leak (CWE-404) leads to resource exhaustion. Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption. Large integer value for a length property in an object causes a large amount of memory allocation. Web application firewall consumes excessive memory when an HTTP request contains a large Content-Length value but no POST data. Product allows exhaustion of file descriptors when processing a large number of TCP packets. Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created. TCP implementation allows attackers to consume CPU and prevent new connections using a TCP SYN flood attack. Port scan triggers CPU consumption with processes that attempt to read data from closed sockets. Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window. Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake. Mail server does not properly handle deeply nested multipart MIME messages, leading to stack exhaustion. Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.

References

security-advisories@github.com Patch

https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368 Patch
https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4 Vendor Advisory
https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml Not Applicable
https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946 Vendor Advisory

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:ruby-lang:rexml::::::ruby::*		< 3.3.3

REMEDIATION

Patch

Url
https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
147	XML Ping of the Death An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target. [Survey the target] Using a browser or an automated tool, an attacker records all instance of web services to process XML requests. [Launch a resource depletion attack] The attacker delivers a large number of small XML messages to the target URLs found in the explore phase at a sufficiently rapid rate. It causes denial of service to the target application.	Medium
227	Sustained Client Engagement An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
492	Regular Expression Exponential Blowup An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.

MITRE

Techniques

id	description
T1499	Endpoint Denial of Service
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id	description
T1499	Leverage services provided by Content Delivery Networks (CDN) or providers specializing in DoS mitigations to filter traffic upstream from services. Filter boundary traffic by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport. To defend against SYN floods, enable SYN Cookies.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee