Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371)

Hash-flooding DoS attack reported for the Hash function ruby 1.9 series were using. This vulnerability is different from CVE-2011-4815 for ruby 1.8.7. All ruby 1.9 users are recommended to upgrade to ruby-1.9.3 patchlevel 327 to get this security fix.

Impact

Carefully crafted sequence of strings can cause a denial of service attack on the service that parses the sequence to create a Hash object by using the strings as keys. For instance, this vulnerability affects web application that parses the JSON data sent from untrusted entity.

Details

This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby 1.9 versions were using modified MurmurHash function but it's reported that there is a way to create sequence of strings that collide their hash values each other. This fix changes the Hash function of String object from the MurmurHash to SipHash 2-4.

Solution

Please update to ruby-1.9.3 patchlevel 327 if you are using ruby 1.9 versions. Please update to trunk revision 37575 or later if you are using ruby 2.0.0 preview1 or ruby trunk. In addition to it, all ruby applications that accept input data from untrusted entity for parsing should restrict the size of the input data to reasonable size. We are not sure if we can provide protection against this kind of vulnerability at programming language level in the future.

Affected versions

  • All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 327
  • All ruby 2.0 versions (includes 2.0.0 preview1) prior to trunk revision 37575

Credit

This vulnerability is reported by Jean-Philippe Aumasson, one of the designer of SipHash. The original SipHash implementation for this fix is presented by Martin Boßlet, one of the ruby committer.

Updates

  • A typo fixed at 2012-11-21 22:16:00
  • Originally published at 2012-11-10 04:23:00