#VU8579 Timing attack in Ruby on Rails - CVE-2015-7576

Cybersecurity Help s.r.o.

Published: 2016-01-26 | Updated: 2017-09-22

Vulnerability identifier: #VU8579

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-7576

CWE-ID: CWE-385

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ruby on Rails
Universal components / Libraries / Scripting languages

Vendor: Rails

Description

The vulnerability allows a remote attacker to bypass authentication.

The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.

Mitigation
Update to version 3.2.22.1, 4.1.14.1, 4.2.5.1.

Vulnerable software versions

Ruby on Rails: 3.2.0 rc1 - 3.2.22, 4.1.0 rc1 - 4.1.14, 4.2.0 rc1 - 4.2.5

External links
https:Rubyonrails.org has released software updates at the following links:
Rails 3.2.22.1
Rails 4.1.14.1
Rails 4.2.5.1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE Linux update for portus

Multiple vulnerabilities in Ruby on Rails