packages with vulnerability

[rickygm]

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 24.1.6 at Sun Apr 28 20:20:29 CST 2024
vulnxml file up-to-date
ruby-3.1.4_1,1 is vulnerable:
  ruby -- Arbitrary memory address read vulnerability with Regex search
  CVE: CVE-2024-27282
  WWW: https://vuxml.FreeBSD.org/freebsd/2ce1a2f1-0177-11ef-a45e-08002784c58d.html

1 problem(s) in 1 installed package(s) found.
***DONE**

any idea how to fix them?

[franco]

I'm not sure someone is feeding arbitrary untrusted data to ruby, but usually it takes a stable update fix this.. this is only for community plugins (iperf and tor).


Cheers,
Franco

[chemlud]

Hmm, do you want to insinuate that ruby is the new xz? 

[franco]

I'm merely paraphrasing the link:

If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings.

[rickygm]

I think it would be good to remove a package from the repo that could affect security.

note: would I have to remove iperf to remove this package or can I directly remove ruby?

[Patrick M. Hausen]

There is no externally supplied data fed to Ruby in OPNsense. So there is no vulnerability.

If you are logged in via SSH you can trigger a bug in Ruby by supplying suitably crafted data and then read information from the running Ruby process with the privilege of the user that started the command in the first place. No privilege escalation, no remote code execution, nothing to see here.

Please don't freak out over CVEs but do a proper risk assessment. There will always be some CVE for a product with as many dependencies as OPNsense and an update cycle of two weeks.

[rickygm]

thank for information

[chemlud]

...todays patch is tomorrows bug... :-D

[franco]

...todays patch is tomorrows bug... :-D

True, and perfect software is dead software.


Cheers,
Franco