CVE-2024-25126: Rack - Modular Ruby Web Server Interface ReDoS Vulnerability Patched in Versions 3..9.1 and 2.2.8.1

Rack is a modular Ruby web server interface, and it plays a crucial role in serving and managing web applications in the Ruby ecosystem. Recently, a vulnerability was discovered in Rack (CVE-2024-25126) that can potentially lead to a Denial of Service (DoS) attack. Specifically, this vulnerability allows an attacker to cause a ReDoS (Regular Expression Denial of Service) attack by carefully crafting content type headers to make the media type parser consume much more time than usual. A patch has been provided in versions 3..9.1 and 2.2.8.1, addressing this 2nd-degree polynomial ReDoS vulnerability.

Code Snippet

In versions of Rack before 3..9.1 and 2.2.8.1, the vulnerability exists in the lib/rack/media_type.rb file, which is responsible for parsing media types.

module Rack
  class MediaType
    def self.parse_media_type_component(media_type_string, regexp)
      yield(media_type_string.split(regexp).compact.select { |s| !s.empty? }.map(&:strip))
    end
...

Patching the vulnerability in version 3..9.1 involves improvements in the media type parsing, as shown in the following diff:

module Rack
  class MediaType
    def self.parse_media_type_component(media_type_string, regexp)
+      parts = []
+      nesting_level = 
+      media_type_string.scan(regexp).reject { |s| s.empty? }.select { |s|
+        if nesting_level >= 1 && s.strip == ";"
+          # Discard this s value.
+        elsif s.strip == "(" || s.strip == ")"
+          nesting_level += s.strip == "(" ? 1 : -1
+          # Discard this s value.
+        elsif nesting_level == 
+          # Keep this s value.
+          true
+        else
+          # Discard this s value.
+        end
+      }.each { |s| parts << s.strip }
+      yield parts
...

Exploit Details

The CVE-2024-25126 vulnerability allows attackers to craft content type headers in such a way that it takes a long time for Rack's media type parser to parse them, thereby causing a ReDoS attack. Essentially, this leads to slowing down and potentially overwhelming the server, resulting in poor performance or denial of service for legitimate users.

For instance, an attacker could send a request with a content type header that has a deeply nested parentheses structure like this:

Content-Type: text/html( ( ( ( ( ( ( ( ( ( (mediatype) ))))))))))

When unpatched, the media type parser in Rack would take an unreasonable amount of time to process this malformed input, causing the server to stall and not serve other requests.

References

- Patched version source code and changelog: rack-3..x
- Vulnerability report and discussion: rack-issue-1665
- ReDoS phenomenon: owasp-redos

Conclusion

It is highly recommended to update your Rack installations to versions 3..9.1 or 2.2.8.1, as necessary, to address this CVE-2024-25126 vulnerability. Failure to do so can leave your server exposed to ReDoS attacks and, consequently, a denial of service for your users. Regularly check for security updates and patches to ensure the safety of your applications, and always stay vigilant about vulnerabilities in the systems you rely on.

Timeline

Published on: 02/29/2024 00:15:51 UTC
Last modified on: 02/29/2024 13:49:47 UTC