This Week in Cybersecurity: June 19-25, 2022

Major News Stories

Other Software with Critical Patches Available

  • Nothing major this week.

Learning – CVE-2006-4112

A few weeks back, we looked at CVE-2006-4111, the very first Ruby on Rails CVE. This week, we’re continuing our journey through Rails’ CVE history and taking a look at the second CVE to affect the framework - CVE-2006-4112 [1].

Published the same day as CVE-2006-4111 (the first Rails CVE) and tying 4111’s CVSS score of 7.5/10, CVE-2006-4112 was classified with the vulnerability types of “denial of service” and “code execution”. The blog post from the Rails team regarding the vulnerability is quite interesting when considering the evolution of the Rails team’s approach to security vulnerabilities.

For example, the current industry best practice for open source projects like Rails is to be forthcoming regarding the details of a security vulnerability. However, in the above-mentioned blog post, DHH declines to discuss any specifics of the security issue, stating, “The issue is in fact of such a criticality that we’re not going to dig into the specifics. No need to arm would-be assalients [sic].” This “security by obscurity” approach is considered counterproductive as it prevents white hats from validating a fix (interestingly, this CVE had a 1.1.5 patch that was released and then withdrawn due to multiple issues) and doesn’t stop black hats since a simple diff between versions is enough for would-be attackers to begin crafting an exploit.

And in fact, that approach was quickly taken, albeit (and thankfully) by the white-hat Evan Weaver, who posted, “anatomy of an attack against 1.1.4” to his blog. In this post, Evan uncovers the vulnerable code by starting with a fresh Rails app and diffing the changes between 1.1.4 and 1.1.5. The post is definitely worth a read and does an excellent job of breaking down two very serious vulnerabilities that were fixed in Rails 1.1.6:

  1. Being able to request arbitrary files (i.e., in a Rails app’s lib/ and db/ folders), causing DOS and database corruption. And,
  2. Mechanisms for running arbitrary code via Rail’s $LOAD_PATH (different from CVE-2006-4111).


Sources & Resources

In addition to inline citations, the following were used or referenced when preparing this debrief.

Thanks for reading, stay safe out there, and have a great weekend! 👩🏿‍💻 🌐 👨🏽‍💻

Written on June 24, 2022 by Alex Smith

At Maxwell, we live our values (ROCKS) everyday. Come tackle worthwhile challenges and make impactful change with us.