Ruby CVE-2017-14033 Buffer Underrun Vulnerability

Ruby is prone to a buffer-underrun vulnerability.

An attacker can exploit this issue to cause denial-of-service conditions. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed.

The following versions are affected:
Ruby 2.2.7 and prior versions are affected.
Ruby 2.3.4 and prior versions are affected.
Ruby 2.4.1 and prior versions are affected.

Information

Bugtraq ID: 100868
Class: Failure to Handle Exceptional Conditions
CVE: CVE-2017-14033

Remote: Yes
Local: No
Published: Sep 14 2017 12:00AM
Updated: Sep 14 2017 12:00AM
Credit: asac.
Vulnerable: Ruby-Lang Ruby 2.4.1
Ruby-Lang Ruby 2.3.4
Ruby-Lang Ruby 2.3
Ruby-Lang Ruby 2.2.7
Ruby-Lang Ruby 2.2
Ruby-Lang Ruby 2.4.0
Ruby-Lang Ruby 2.2.2

Not Vulnerable: Ruby-Lang Ruby 2.4.2
Ruby-Lang Ruby 2.3.5
Ruby-Lang Ruby 2.2.8

Exploit

The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

References:

• Bug 1491866 - (CVE-2017-14033) CVE-2017-14033 ruby: Buffer underrun in OpenSSL A (Redhat)
  
• CVE-2017-14033 (Redhat)
  
• CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode (Ruby)
  
• Ruby-Lang Homepage (Ruby-Lang)
  

Source: www.securityfocus.com