CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket

[André Arko]

There is a unintentional socket creation vulnerability in UNIXServer.openmethod of socket library bundled with Ruby. And there is also a unintentional socket access vulnerability in UNIXSocket.open method. This vulnerability has been assigned the CVE identifier CVE-2018-8779. Details UNIXServer.open accepts the path of the socket to be created at the first parameter. If the path contains NUL (\0) bytes, this method recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of this method, the attacker can make the socket file in the unintentional path. And, UNIXSocket.open also accepts the path of the socket to be created at the first parameter without checking NUL bytes like UNIXServer.open. So, if a script accepts an external input as the argument of this method, the attacker can accepts the socket file in the unintentional path. All users running an affected release should upgrade immediately. Affected Versions Ruby 2.2 series: 2.2.9 and earlier Ruby 2.3 series: 2.3.6 and earlier Ruby 2.4 series: 2.4.3 and earlier Ruby 2.5 series: 2.5.0 and earlier Ruby 2.6 series: 2.6.0-preview1 prior to trunk revision r62991 Credit Thanks to ooooooo_q for reporting the issue. History Originally published at 2018-03-28 14:00:00 (UTC) Posted by usa on 28 Mar 2018