CVE-2019-16201
📋 TL;DR
This vulnerability allows attackers to cause denial of service (DoS) in Ruby WEBrick servers using Digest authentication through a regular expression backtracking attack. Affected systems include Ruby applications running WEBrick servers with DigestAuth enabled and exposed to untrusted networks. The vulnerability affects Ruby versions through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4.
💻 Affected Systems
- Ruby
- WEBrick
📦 What is this software?
Ruby by Ruby Lang
Ruby by Ruby Lang
Ruby by Ruby Lang
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion from regular expression backtracking, potentially requiring server restart.
Likely Case
Service degradation or temporary unavailability until the malicious request stops or server resources are freed.
If Mitigated
Minimal impact if WEBrick is not internet-facing or DigestAuth is disabled.
🎯 Exploit Status
Exploitation requires sending specially crafted requests to trigger regex backtracking in DigestAuth implementation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Ruby 2.4.8, 2.5.7, 2.6.5 and later
Vendor Advisory: https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
Restart Required: Yes
Instructions:
1. Update Ruby to patched version using package manager or Ruby version manager. 2. Restart affected WEBrick servers. 3. Verify the fix by checking Ruby version.
🔧 Temporary Workarounds
Disable DigestAuth
allDisable Digest authentication in WEBrick configuration if not required.
Modify WEBrick configuration to remove or comment out DigestAuth settings
Network isolation
allRestrict WEBrick server access to trusted networks only.
Configure firewall rules to limit access to WEBrick ports
🧯 If You Can't Patch
- Disable DigestAuth in WEBrick configuration
- Implement network segmentation to restrict WEBrick access to trusted networks only
- Deploy web application firewall (WAF) with regex DoS protection
- Monitor server resources and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check Ruby version and verify if WEBrick with DigestAuth is enabled and exposed to untrusted networks.Check Version:
ruby --versionVerify Fix Applied:
Confirm Ruby version is 2.4.8+, 2.5.7+, or 2.6.5+ and test WEBrick functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual CPU/memory spikes on WEBrick servers
- Multiple failed authentication attempts with malformed headers
- WEBrick process crashes or hangs
Network Indicators:
- High volume of requests to WEBrick authentication endpoints
- Requests with malformed Authorization headers
SIEM Query:
source="webrick" AND (cpu_usage>90 OR memory_usage>90) OR event="authentication_failure"🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
- https://hackerone.com/reports/661722
- https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html
- https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
- https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
- https://seclists.org/bugtraq/2019/Dec/31
- https://seclists.org/bugtraq/2019/Dec/32
- https://security.gentoo.org/glsa/202003-06
- https://www.debian.org/security/2019/dsa-4587
- https://www.oracle.com/security-alerts/cpujan2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
- https://hackerone.com/reports/661722
- https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html
- https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
- https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
- https://seclists.org/bugtraq/2019/Dec/31
- https://seclists.org/bugtraq/2019/Dec/32
- https://security.gentoo.org/glsa/202003-06
- https://www.debian.org/security/2019/dsa-4587
- https://www.oracle.com/security-alerts/cpujan2020.html
