14 DAY TRIAL // A serious vulnerability that could allow a cybercriminal to issue a denial-of-service (DoS) attack on Ruby was found. The attack is possible with the aid of a specially crafted series of strings that collide their hash values.
The deterministic hash function used to hash a string in the 1.8 series of Ruby, which makes sure that no other bits of information than the input string itself is involved in generating the hash value, allows for the string’s hash value to be pre-calculated beforehand.
“By collecting a series of strings that have the identical hash value, an attacker can let Ruby process collide bins of hash tables (including Hash class instances),” reads the issue’s description.
“Hash tables' amortized O(1) attribute depends on uniformity of distribution of hash values. By giving such crafted input, an attacker can let hash tables work much slower than expected (namely O(n2) to construct a n-elements table this case).”
All the versions of Ruby 1.8.7-p352 and prior are affected by the issue, but the 1.9 series are off the hook since they don’t share the same hash implementations.
A solution to this problem, one that would make it difficult for an attacker to launch a successful operation, is to scramble the string hash function by some PRNG-generated random bits. This way, a string’s hashed value is no longer deterministic.
By utilizing this method, a different number will be generated at each boot, which means that an attacker would have to create a set of strings which are robust for this kind of scrambling, a goal not easy to achieve.
Anyhow, this method is not bulletproof since the hash algorithm doesn’t become cryptographically secure. It could still be exploited by an attacker if outputs are disclosed.
This is why users are advised to make use of secure hash algorithms found in Ruby’s standard library if they’re required to disclose outputs. Also, Ruby customers are advised to upgrade to the latest version.
Other web programing languages and applications are also susceptible to a similar DoS attack. Learn how this is possible.
Ruby 1.8.7-p357 is available for download here.