CVE-2023-22792: Regular Expression-based Denial of Service (ReDoS) Vulnerability Found in Action Dispatch of Multiple Versions

In this post, we'll discuss a critical vulnerability, identified as CVE-2023-22792, affecting various versions of Action Dispatch, a component of the Ruby on Rails web application framework. This Regular Expression-based Denial of Service (ReDoS) vulnerability was discovered in certain versions of Action Dispatch: less than 6..6.1, less than 6.1.7.1, and less than 7..4.1. This vulnerability can be exploited by malicious attackers using specially crafted cookies and the X_FORWARDED_HOST header to cause a Denial of Service (DoS) attack by consuming an excessive amount of CPU and memory resources on the targeted server. It is highly recommended that all users running an affected release either upgrade their software or apply one of the workarounds detailed below to mitigate the risk immediately.

Vulnerability Description

The root cause of CVE-2023-22792 lies within a regex pattern used in the parsing process of the X_FORWARDED_FOR header in Action Dispatch. When processing malformed cookies, in combination with a specially crafted X_FORWARDED_FOR header, the regex engine may enter a state of catastrophic backtracking, resulting in heavy CPU usage and memory consumption on the targeted server.

Here's a code snippet to demonstrate how the vulnerable regex pattern is used in the affected versions of Action Dispatch:

# File: action_dispatch/middleware/remote_ip.rb
module ActionDispatch
  class RemoteIp
    # ...

    private

    #X-Forwarded-For: client, proxy1, proxy2
    def extract_ips(value)
      value.strip.split(/[,\s]+/)
    end
  end
end

Impact

Successful exploitation of this vulnerability could cause severe degradation of the web application's performance or even complete unavailability. Attackers with knowledge of this vulnerability may compromise the availability of web services relying on the affected versions of Action Dispatch, which could lead to loss of revenue, reputation damage, information exposure, or any other attack-related consequences.

Solution

It is strongly recommended that users running any of the affected versions of Action Dispatch upgrade to the latest patched versions as soon as possible. The Ruby on Rails project has released the following patched versions:

Action Dispatch version 7..4.1

These upgraded versions can be obtained from the official Ruby on Rails website (https://rubyonrails.org/) or the RubyGems project page (https://rubygems.org/gems/rails).

If upgrading is not possible at this time, users can apply one of the following workarounds

1. Enable a Web Application Firewall (WAF) that can block malicious requests containing specially crafted cookies and X_FORWARDED_FOR headers that may trigger the ReDoS vulnerability.
2. Configure a reverse proxy or load balancer to validate and sanitize malformed or malicious headers before forwarding requests to the backend Ruby on Rails application.

References

1. Official Ruby on Rails Website: https://rubyonrails.org/
2. RubyGems Project Page: https://rubygems.org/gems/rails
3. CVE-2023-22792 Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

Conclusion

CVE-2023-22792 is a critical Regular Expression-based DoS vulnerability in multiple versions of Action Dispatch. The vulnerability can be exploited to cause severe performance issues or render the web application completely unavailable. All users running an affected version of Action Dispatch should either upgrade their software or apply one of the workarounds detailed above to mitigate the risk immediately.

Timeline

Published on: 02/09/2023 20:15:00 UTC
Last modified on: 03/14/2023 08:15:00 UTC