Regex Backtracking Denial of Service in websocket-extensions Ruby Module

Title: Regex Backtracking Denial of Service in websocket-extensions

CVE-ID: CVE-2020-7663

Versions: < 0.1.5

Fixed in: 0.1.5

Package URL: websocket-extensions-ruby

Common Weakness Enumeration: CWE-1333 (Improper Handling of Exceptional Conditions)

Vulnerability Description

The websocket-extensions Ruby module prior to version 0.1.5 allows for Denial of Service (DoS) via Regex Backtracking. The extension parser takes quadratic time when parsing a header containing an unclosed string parameter value with a repeating two-byte sequence of a backslash and another character. This vulnerability, known as Regex Denial of Service (ReDoS), can be exploited to exhaust the server’s processing capacity, especially on single-threaded servers.

Example Scenario: Exploiting ReDoS in a Single-Threaded Server

  1. Setup the Vulnerable Application:

    require 'websocket-extensions'

class WebSocketServer
  def initialize(request)
    @request = request
  end

  def process_request
    extensions = WebSocket::Extensions.parse(@request.headers['Sec-WebSocket-Extensions'])
    puts "Processed extensions: #{extensions}"
  end
end

# Simulating a WebSocket request
request = Struct.new(:headers).new({
  'Sec-WebSocket-Extensions' => 'a; b="\c\c\c\c\c\c\c\c\c\c ...'
})

server = WebSocketServer.new(request)
server.process_request

  2. Exploit the Vulnerability:

    • The attacker sends a WebSocket handshake request with a malicious Sec-WebSocket-Extensions header containing a long sequence of backslashes followed by another character.

      Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ...

    • This payload triggers the ReDoS vulnerability, causing the server to spend an exponential amount of time processing the header, thus blocking other requests and making the service unavailable.

Issue Replication

To replicate the issue, follow these steps:

  1. Run a Single-Threaded WebSocket Server:

    • Use the provided vulnerable application code to set up a WebSocket server.

  2. Send Malicious Payload:

    • Simulate a WebSocket request with a Sec-WebSocket-Extensions header containing a long sequence of backslashes.

  3. Observe the Impact:

    • Notice how the server becomes unresponsive due to the time-consuming parsing of the malicious header.

Fix

Upgrade to websocket-extensions version 0.1.5 or later. This version includes fixes to mitigate the ReDoS vulnerability by improving the regular expression handling to prevent excessive backtracking.

Remediation Code Example

To ensure your application is protected against this vulnerability, upgrade to the latest version of the websocket-extensions gem:

Example of Mitigated Code

After upgrading to the fixed version, the WebSocket server will handle the Sec-WebSocket-Extensions header without the vulnerability:

Recommendations

  • Always keep your gems up to date, especially for security-critical applications.

  • Regularly check for security advisories related to your dependencies.

  • Consider using multi-threaded or asynchronous server setups to mitigate the impact of potential DoS attacks.

Vulnerability Disclosure Timeline

The vulnerability was responsibly disclosed by Robert McLaughlin and has been fixed in websocket-extensions version 0.1.5. All users are advised to upgrade to this version or later to protect against the described ReDoS vulnerability.

PreviousRegex backtracking Denial of Service in Sec-Websocket-Protocol HeaderNextExcessive Resource Consumption

Last updated