[Secure-testing-team] Bug#736287: ruby1.9.1: insecure SSL defaults (DES and unauthenticated ciphers)

brian m. carlson sandals at crustytoothpaste.net
Tue Jan 21 23:20:49 UTC 2014 

Package: ruby1.9.1
Version: 1.9.3.484-1
Severity: grave
Tags: security

Upstream bug 9424 [0] indicates that ruby has insecure SSL and TLS
defaults.  Using the gist linked to [1] in the bug report, I get the
following output:

  vauxhall ok % /usr/bin/ruby1.9.1 howsmytls.rb
  {
    "given_cipher_suites": [
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
      "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
      "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
      "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
      "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
      "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
      "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
      "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
      "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
      "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
      "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
      "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
      "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
      "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
      "TLS_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_RSA_WITH_AES_256_CBC_SHA256",
      "TLS_RSA_WITH_AES_256_CBC_SHA",
      "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
      "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
      "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
      "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
      "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
      "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
      "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
      "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
      "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
      "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
      "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
      "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
      "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
      "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
      "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
      "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
      "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
      "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
      "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
      "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
      "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
      "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
      "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
      "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
      "TLS_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_RSA_WITH_AES_128_CBC_SHA",
      "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
      "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
      "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
      "TLS_RSA_WITH_SEED_CBC_SHA",
      "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
      "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
      "TLS_ECDH_anon_WITH_RC4_128_SHA",
      "TLS_ECDH_RSA_WITH_RC4_128_SHA",
      "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
      "TLS_RSA_WITH_RC4_128_SHA",
      "TLS_RSA_WITH_RC4_128_MD5",
      "TLS_DHE_RSA_WITH_DES_CBC_SHA",
      "TLS_DHE_DSS_WITH_DES_CBC_SHA",
      "TLS_RSA_WITH_DES_CBC_SHA",
      "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
    ],
    "ephemeral_keys_supported": true,
    "session_ticket_supported": true,
    "tls_compression_supported": false,
    "unknown_cipher_suite_supported": false,
    "beast_vuln": false,
    "able_to_detect_n_minus_one_splitting": false,
    "insecure_cipher_suites": {
      "TLS_DHE_DSS_WITH_DES_CBC_SHA": [
        "uses keys smaller than 128 bits in its encryption"
      ],
      "TLS_DHE_RSA_WITH_DES_CBC_SHA": [
        "uses keys smaller than 128 bits in its encryption"
      ],
      "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA": [
        "is open to man-in-the-middle attacks because it does not authenticate the server"
      ],
      "TLS_ECDH_anon_WITH_AES_128_CBC_SHA": [
        "is open to man-in-the-middle attacks because it does not authenticate the server"
      ],
      "TLS_ECDH_anon_WITH_AES_256_CBC_SHA": [
        "is open to man-in-the-middle attacks because it does not authenticate the server"
      ],
      "TLS_ECDH_anon_WITH_RC4_128_SHA": [
        "is open to man-in-the-middle attacks because it does not authenticate the server"
      ],
      "TLS_RSA_WITH_DES_CBC_SHA": [
        "uses keys smaller than 128 bits in its encryption"
      ],
      "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA": [
        "is open to man-in-the-middle attacks because it does not authenticate the server"
      ],
      "TLS_SRP_SHA_WITH_AES_128_CBC_SHA": [
        "is open to man-in-the-middle attacks because it does not authenticate the server"
      ],
      "TLS_SRP_SHA_WITH_AES_256_CBC_SHA": [
        "is open to man-in-the-middle attacks because it does not authenticate the server"
      ]
    },
    "tls_version": "TLS 1.2",
    "rating": "Bad"
  }

Clearly, negotiating plain DES ciphers or ciphers without authentication
by default is unacceptable.  I have no opinion on SRP, since I don't
know enough about it.  Please patch this vulnerability.  I will clone
the bug to ruby2.0 once I get the bug number.

[0] https://bugs.ruby-lang.org/issues/9424
[1] https://gist.github.com/8302049.git

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ruby1.9.1 depends on:
ii  libc6         2.17-97
ii  libruby1.9.1  1.9.3.484-1

ruby1.9.1 recommends no packages.

Versions of packages ruby1.9.1 suggests:
ii  graphviz            2.26.3-16.1
ii  ri1.9.1             1.9.3.484-1
pn  ruby-switch         <none>
ii  ruby1.9.1-dev       1.9.3.484-1
pn  ruby1.9.1-examples  <none>

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20140121/1344e63e/attachment.sig>

More information about the Secure-testing-team mailing list