[Potential] Security Vulnerabilities within ruby-coap/david

[bsmelo]

Hello developers of ruby-coap/david,

My name is Bruno, and I'm an MSc. student in Brazil within the Institute of Computing from the University of Campinas.
As part of my research on the application of fuzzing techniques for robustness and security black-box testing of CoAP implementations, I've tested your library. The sample used in my research was compiled from distribution/commit nning/coap@86c8419. The application used to test it was bin/david from b9413ce @ 2018-03-04.

I'm contacting you because the application mentioned above was one of the samples for which our tool was able to detect robustness and/or security issues. In a broad sense, every failure we found can actually be classified as a security vulnerability, because they impact availability --- the application either aborts or needs forceful restart in order to restore servicing CoAP requests. However, we didn't go as far as performing a thorough root-cause analysis for those failures, since it would be unfeasible for us (more than 100 failures were detected across 25 samples, each one using a different CoAP library, spanning 8 programming languages) and thus out-of-scope of this particular research.

We think that one of our main contributions is the opportunity to make a real-world impact on IoT security by reporting those failures to CoAP libraries' maintainers, with a comprehensible and easy way to replicate them so developers can further investigate and fix those failures. So, in order to follow up with a responsible disclosure process, we ask for a proper e-mail address (or any other form of contact) so we can send you:

• A script to reproduce the failures;
• A pcap file used by the script, containing the packets causing the failures;
• A logfile with the stacktraces we got for each reported failure.

We expect a reply anytime soon.
Please let us know if which form of contact should we use --- or if it's ok to use this channel.

Thanks & Regards,
Bruno Melo.

[nning]

I appreciate your efforts and thank you very much for offering information on these issues. As far as I know david (and the coap gem) is mostly used in academic context but maybe it is sensible to sight your logs without full disclosure first.

Please send any information your fuzzing yielded to [email protected] (you can encrypt it to gpg key id 0xae5fc712).

I will try to sort out single concrete issues and fix them according to their severity as soon as possible.

Thanks and best regards,
henning

[bsmelo]

Sent to the email provided.