CVE-2021-32066

ruby: StartTLS stripping vulnerability in Net::IMAP

Severity Score

7.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

Se ha detectado un problema en Ruby versiones hasta 2.6.7, versiones 2.7.x hasta 2.7.3, y versiones 3.x hasta 3.0.1. Net::IMAP no lanza una excepción cuando StartTLS falla con una respuesta desconocida, lo que podría permitir a atacantes tipo man-in-the-middle omitir las protecciones TLS, al aprovechar una posición de red entre el cliente y el registro para bloquear el comando StartTLS, también se conoce como "StartTLS stripping attack"

Ruby's Net::IMAP module did not raise an exception when receiving an unexpected response to the STARTTLS command and the connection was not upgraded to use TLS. A man-in-the-middle attacker could use this flaw to prevent Ruby applications using Net::IMAP to enable TLS encryption for a connection to an IMAP server and subsequently eavesdrop on or modify data sent over the plain text connection.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-05-06 CVE Reserved
2021-07-21 CVE Published
2024-01-31 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-319: Cleartext Transmission of Sensitive Information
CWE-755: Improper Handling of Exceptional Conditions

CAPEC

References (10)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html	Mailing List
https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html	Mailing List
https://security.netapp.com/advisory/ntap-20210902-0004	Third Party Advisory

URL	Date	SRC
https://hackerone.com/reports/1178562	2024-08-03

URL	Date	SRC
https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a	2024-01-24
https://www.oracle.com/security-alerts/cpuapr2022.html	2024-01-24

URL	Date	SRC
https://security.gentoo.org/glsa/202401-27	2024-01-24
https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap	2024-01-24
https://access.redhat.com/security/cve/CVE-2021-32066	2022-02-28
https://bugzilla.redhat.com/show_bug.cgi?id=1980128	2022-02-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				>= 2.6.0 <= 2.6.7 Search vendor "Ruby-lang" for product "Ruby" and version " >= 2.6.0 <= 2.6.7"		-		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				>= 2.7.0 <= 2.7.3 Search vendor "Ruby-lang" for product "Ruby" and version " >= 2.7.0 <= 2.7.3"		-		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				>= 3.0.0 <= 3.0.1 Search vendor "Ruby-lang" for product "Ruby" and version " >= 3.0.0 <= 3.0.1"		-		Affected
Oracle Search vendor "Oracle"		Jd Edwards Enterpriseone Tools Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools"				< 9.2.6.1 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version " < 9.2.6.1"		-		Affected