Ruby BigDecimal denial of service 10 Jun 09

From ruby-lang.org:

A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.

ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.

We’re currently  building new Ruby packages for Brightbox customers with the relevant patches to fix this vulnerability. We’ll keep this post updated with the latest news.

UPDATE, 15:46 BST: New Ruby EE packages are now available in our Ruby Enterprise Ubuntu repository. We’re working on updates for the standard Ubuntu version of Ruby.

You can confirm that the update fixes the bug with the following command:

ruby -e 'require "bigdecimal";BigDecimal("E99999999").to_s("F");puts "OK"'

If your version of Ruby is vulnerable, you’ll get a “Segmentation fault” error message, otherwise it prints “OK”.

Rails CSRF Security Vulnerability 19 Nov 08

Users of Rails 2.1 and 2.2 need to be aware of a vulnerability in Rails’ CSRF forgery protection.

For those that don’t know, Rails generates an authentication token within your forms and verifies this token when the form is submitted back to your application. This prevents attackers from crafting malicious requests whilst pretending to be your authenticated user.

However, for certain types of request (supposedly those that cannot be generated from a browser) this authentication token is ignored - in order to make it simpler for automated API access to your application (using JSON, XML or a few other data transport types). Unfortunately, text/plain is wrongly included as one of these types.

Luckily, the fix is simple. The long-term solution is to upgrade your application to Rails 2.1.3 or 2.2.2 (when they are released); the quick fix is even easier - tell Rails to verify text/plain requests by creating a file (called mime_type_csrf_fix.rb) in your config/initializers folder:


# temporary fix for http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
Mime::Type.unverifiable_types.delete(:text)


Rails security vulnerability 26 Aug 08

If you’ve been following the Rails security list you’ll know that there has been a serious flaw uncovered in the REXML library that allows an easy Denial of Service attack on the vast majority of Rails applications.

The Ruby details are here: http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ and the instructions for applying the monkey patch fix for Rails is on the security google group: http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9fb60a1e22a88d30/330bcb96de877996#330bcb96de877996

Just to reiterate - this fault will affect the majority of Rails applications across all versions of Rails, whether you think you are processing XML or not, and we would urge all our customers (and all Rails users for that matter) to patch their applications until there is an upgrade to the Ruby libraries correcting the error.

Ruby Security Vulnerabilities 25 Jun 08

Some of you will have noticed the kerfuffle regarding the recent Ruby security vulnerabilities.  Fixed version of Ruby were released over the weekend but they are causing crashes in applications.  Until working fixes are available we’re all a bit stuck.

Details of the bugs have been kept officially secret but people are figuring it out for themselves (thanks to Zed in particular).  This secrecy has just contributed to the fear, uncertainty and doubt surrounding the issues and hasn’t helped the situation at all.

We currently recommend sitting tight until proper fixes are available.  When this happens, distros will release new packages in the usual manner.  Brightboxes are based on the Ubuntu distro and their security team are aware of the problem and are working on it (see the bug status here).

For those of you using the standard Ruby from Dapper (most of you) you should be able to just upgrade  using aptitude as soon as Ubuntu release new packages.  For those of you using the backported Ruby 1.8.6 packages, you’ll need to wait for us to backport the fixes once they’re released.  We’ll obviously be doing this asap.

We’ll update the blog as we know more.

UPDATE: Ubuntu have fixed ruby1.8 packages available now. They have already appeared in the Ubuntu security repository and are available for install.  Preliminary testing of the Dapper packages has been successful (gems with native libraries too).  We’re re-backporting the Hardy 1.8.6 packages right now and they’ll be available soon.

UPDATE: We have the fixed Hardy packages (1.8.6-p111) backported to Dapper available on the Brightbox testing apt repository.  They’ve passed a lot of preliminary tests but have not been tested extensively in production yet.  Please report any problems  with them (segfaults etc.) to support@brightbox.co.uk.

Ubuntu Openssh vulnerability 14 May 08

A vulnerability in some versions of Openssh on Debian and Ubuntu Linux was announced yesterday which can result in attackers gaining ssh access to machines with weak keys.  Any versions of Openssh that can produce these weak keys needs to be upgraded, and any weak keys in use need to be regenerated.

One of our admin keys, used for accessing customer machines for support, was generated on a vulnerable version of Ubuntu.  This key is installed on Brightboxes by default though is limited to access from the private network only, mitigating the risk somewhat.

We’ve generated a new key and have now installed it on all affected Brightboxes and removed the weak one (you may have noticed some ssh connections from the private network to your box this morning as the user bbox-admin).

The Brightbox distribution is based on Ubuntu Dapper, which is not directly vulnerable to this bug, but if you are using an ssh key generated on one of the vulnerable versions then your Brightbox might be at risk.  If you use any of the vulnerable versions of Ubuntu yourself then please follow the instructions in the Ubuntu security notice.

Planned MySQL Maintenance: 6 Jan 2200hrs-2230hrs 31 Dec 07

We’ll be doing some work on the MySQL cluster on Sunday 6th January 2008 between 2200hrs and 2230hrs. We’re changing the way the clustering is managed to improve stability and also upgrading to fix some security bugs.During the window you may see two or three brief outages (less than 2 minutes at a time). We’ll keep the status page up to date as usual. If you experience any issues after the maintenance window has closed, please submit a support ticket and we’ll deal with it straight away.

Update: (7 Jan 2007) maintenance went well with only few seconds downtime.

Secure virtual disk deletion - is your data safe? 4 Dec 07

Everyone knows the dangers of old hard disks being discarded with sensitive data still on them, but what about virtual disks? With so many virtual machine hosting services cropping up of late (hi!), have you ever wondered what happens to your data when you delete your virtual machine?

Usually your machine’s ‘partition’ is just a small part of a larger disk array; the partition is deleted and the space returned for the pool to be used by another virtual machine. This means, the next time someone buys a virtual machine with the same host, some of the blocks that made up your filesystem could end up making up their filesystem. The metadata will be wiped clean when the filesystem is formatted of course, so they won’t just see your files listed, but the blocks can still contain your data. It depends on how they’re managing their disks.

Homework: go buy a virtual machine somewhere and pipe the contents of your new disk through the strings command and look out for anything that isn’t yours (ssh root@newmachine "dd if=/dev/sda1 bs=1M | strings"). Extra credit if you don’t get thrown off your new host on the first day for maxing out the disk IO :)

So, you’re probably careful and securely wipe your sensitive data before you leave, phew. But disk space is virtualised too. The blocks that make up your disk might not all be in order or even all be on the same disk. With snapshots, your data may exist in duplicate too that you can’t even access. And what about if you bought extra disk space, then removed it?

At Brightbox we use Linux’s LVM implementation to manage disk space and these are problems we have to deal with and we take it seriously. All virtual machine disks are wiped at the block level when the machine is deleted or when a new machine is created. The only corner case we’re likely to run into is if a disk image is extended into space that had previously been used as a snapshot or as a disk that was shrunk. Luckily we don’t currently offer snapshots or disk shrinking but it’ll be something we’ll probably offer at some point, so we’ll have to address it then.