Posted by zzak on 13 Apr 2015

Ruby’s OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames, which can lead to similar bugs such as CVE-2014-1492. Similar issues were found in Python.

This vulnerability has been assigned the CVE identifier CVE-2015-1855.

We strongly recommend you upgrade Ruby.

Details

After reviewing RFC 6125 and RFC 5280, we found multiple violations of matching hostnames and particularly wildcard certificates.

Ruby’s OpenSSL extension will now provide a string-based matching algorithm which follows more strict behavior, as recommended by these RFCs. In particular, matching of more than one wildcard per subject/SAN is no-longer allowed. As well, comparison of these values is now case-insensitive.

This change will affect Ruby’s OpenSSL::SSL#verify_certificate_identity behavior.

Specifically:

Only one wildcard character in the left-most part of the hostname is allowed.

IDNA names can now only be matched by a simple wildcard (e.g. ‘*.domain’).

Subject/SAN should be limited to ASCII characters only.

All users running an affected release should upgrade immediately.

Affected versions

All Ruby 2.0 versions prior to Ruby 2.0.0 patchlevel 645

All Ruby 2.1 versions prior to Ruby 2.1.6

All Ruby 2.2 versions prior to Ruby 2.2.2

prior to trunk revision 50292

Credits

Thanks to Tony Arcieri, Jeffrey Walton, and Steffan Ullrich for reporting this issue. Originally reported as Bug #9644, and patches submitted by Tony Arcieri and Hiroshi Nakamura.

History