Ruby Net::IMAP Denial-of-Service Vulnerability via Memory Exhaustion

A denial-of-service vulnerability has been identified in the Ruby library Net::IMAP, which implements Internet Message Access Protocol (IMAP) client functionality. This issue is present in versions 0.3.2 prior to 0.3.8, as well as in versions 0.4.0 prior to 0.4.19 and 0.5.0 prior to 0.5.6. The vulnerability arises in the response parser, where a malicious server can send highly compressed 'uid-set' data. This data is automatically processed by the client's receiver thread, expanding the ranges into arrays of integers without any size limitations. As a result, the vulnerability can lead to significant memory exhaustion on the client side.

Impact

Exploitation of this vulnerability causes a memory exhaustion denial-of-service, where the affected application fails to allocate memory due to excessive consumption, leading to a crash or unresponsiveness.

Reproduction

The vulnerability can be reproduced by using a Ruby script that leverages the Net::IMAP library. The script should connect to an IMAP server and request the 'APPENDUID' or 'COPYUID' commands with artificially large 'uid-set' ranges. This can be done by, for example, specifying a range that includes the maximum value of an unsigned 32-bit integer, which would cause the response parser to expand the range into an array of integers that consumes a large amount of memory.

Remediation

Users can upgrade to Net::IMAP versions 0.3.8, 0.4.19, 0.5.6 or higher. For versions 0.4.19 and 0.5.6, the default configuration allows for a maximum 'uid-set' size that can be parsed into the deprecated 'UIDPlusData' format. This limit can be adjusted by setting 'parser_max_deprecated_uidplus_data_size' to a desired value. In version 0.6.0, 'UIDPlusData' will be removed entirely, and the response parser will only use the 'AppendUIDData' or 'CopyUIDData' formats, which are backward-compatible with most applications.