Bug 1980126 (CVE-2021-31810) - CVE-2021-31810 ruby: FTP PASV command response can cause Net::FTP to connect to arbitrary host
Summary: CVE-2021-31810 ruby: FTP PASV command response can cause Net::FTP to connect ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-31810
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1980567 1980568 1980569 1980570 1980571 1980822 1980823 1980824 1980825 1980826 1980827 1980828 1986812 1995174 1996666 2052643 2052645 2052646 2052647 2053195 2057428
Blocks: 1980129
TreeView+ depends on / blocked
 
Reported: 2021-07-07 20:53 UTC by Pedro Sampaio
Modified: 2024-10-01 18:55 UTC (History)
19 users (show)

Fixed In Version: ruby 3.0.2, ruby 2.7.4, ruby 2.6.8, rubygem-net-ftp 0.1.3
Doc Type: If docs needed, set a value
Doc Text:
Ruby's Net::FTP module trusted the IP address included in the FTP server's response to the PASV command. A malicious FTP server could use this to make Ruby applications using the Net::FTP module to connect to arbitrary hosts and use this to perform port scanning or information extraction from systems not accessible from the FTP server.
Clone Of:
Environment:
Last Closed: 2021-08-05 19:07:01 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3130 0 None None None 2021-08-11 04:55:55 UTC
Red Hat Product Errata RHBA-2021:4018 0 None None None 2021-10-28 01:19:10 UTC
Red Hat Product Errata RHBA-2022:0593 0 None None None 2022-02-22 12:51:59 UTC
Red Hat Product Errata RHSA-2021:3020 0 None None None 2021-08-05 14:53:42 UTC
Red Hat Product Errata RHSA-2021:3559 0 None None None 2021-09-20 07:58:44 UTC
Red Hat Product Errata RHSA-2021:3982 0 None None None 2021-10-25 20:51:05 UTC
Red Hat Product Errata RHSA-2022:0543 0 None None None 2022-02-16 11:34:41 UTC
Red Hat Product Errata RHSA-2022:0544 0 None None None 2022-02-16 11:35:18 UTC
Red Hat Product Errata RHSA-2022:0581 0 None None None 2022-02-21 10:11:37 UTC
Red Hat Product Errata RHSA-2022:0582 0 None None None 2022-02-21 10:12:27 UTC
Red Hat Product Errata RHSA-2022:0672 0 None None None 2022-02-24 15:36:46 UTC
Red Hat Product Errata RHSA-2022:0708 0 None None None 2022-02-28 18:56:43 UTC

Description Pedro Sampaio 2021-07-07 20:53:27 UTC
A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes Net::FTP extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).

References:

https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/

Comment 2 Tomas Hoger 2021-07-08 12:32:09 UTC
Upstream commit in Ruby:

https://git.ruby-lang.org/ruby.git/commit/?id=bf4d05173c7cf04d8892e4b64508ecf7902717cd

This commit makes Net::FTP ignore IP addresses used in PASV responses by default and use the same IP address that is used for the main connection.  Newly added attribute use_pasv_ip can be used to re-enable the old behaviour and make Net::FTP connect to the IP specified by the FTP server in the PASV response.  This may be required with certain FTP servers.

Note that Ruby 3.1 will no longer include Net::FTP in its standard library, but will rather bundle net-ftp gem.  A commit for this issue in the net-ftp repo is this:

https://github.com/ruby/net-ftp/commit/5709ece67cf57a94655e34532f8a7899b28d496a

Fixed in net-ftp 0.1.3.

The commit in the net-ftp repo also references this hackerone report:

https://hackerone.com/reports/1145454

It has not been made public yet, but it's likely to get disclosed in the near future.

Comment 3 Tomas Hoger 2021-07-08 12:43:17 UTC
Note that this is the same issue as was recently fixed in curl as CVE-2020-8284 - bug 1902667.

Comment 4 Tomas Hoger 2021-07-08 21:38:51 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1980570]


Created ruby:2.5/ruby tracking bugs for this issue:

Affects: fedora-34 [bug 1980571]


Created ruby:2.6/ruby tracking bugs for this issue:

Affects: fedora-all [bug 1980567]


Created ruby:2.7/ruby tracking bugs for this issue:

Affects: fedora-all [bug 1980568]


Created ruby:master/ruby tracking bugs for this issue:

Affects: fedora-all [bug 1980569]

Comment 8 errata-xmlrpc 2021-08-05 14:53:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3020 https://access.redhat.com/errata/RHSA-2021:3020

Comment 9 Product Security DevOps Team 2021-08-05 19:07:01 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-31810

Comment 10 errata-xmlrpc 2021-09-20 07:58:42 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3559 https://access.redhat.com/errata/RHSA-2021:3559

Comment 11 errata-xmlrpc 2021-10-25 20:51:03 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3982 https://access.redhat.com/errata/RHSA-2021:3982

Comment 12 errata-xmlrpc 2022-02-16 11:34:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0543 https://access.redhat.com/errata/RHSA-2022:0543

Comment 13 errata-xmlrpc 2022-02-16 11:35:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0544 https://access.redhat.com/errata/RHSA-2022:0544

Comment 14 errata-xmlrpc 2022-02-21 10:11:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581

Comment 15 errata-xmlrpc 2022-02-21 10:12:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582

Comment 16 errata-xmlrpc 2022-02-24 15:36:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0672 https://access.redhat.com/errata/RHSA-2022:0672

Comment 17 errata-xmlrpc 2022-02-28 18:56:41 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:0708 https://access.redhat.com/errata/RHSA-2022:0708


Note You need to log in before you can comment on or make changes to this bug.