Security Experts:

Ruby on Rails Releases 'Extremely Critical' Security Fixes – Exploit Code En Route

Ruby on Rails maintainers have released another critical update to the popular Web application framework to address some serious issues.

The latest versions, 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been updated with "two extremely critical security fixes" and should be applied immediately, according to a post on RubyonRails.org Jan. 8. The "multiple weaknesses" in the parameter parsing code for Ruby on Rails allow attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a denial-of-service attack on a Rails application, according to the advisory posted on the Ruby on Rails Security list on Google Groups.

Ruby on Rails ExploitsThe CVE-2013-0156 flaw involves how Ruby on Rails parses some parameters and how certain strings are being converted into unsuitable types, according to the advisory. Since portions of the vulnerability have been disclosed publicly, users running an affected release should either upgrade or implement one of the recommended workarounds, such as disabling XML or disabling YAML and Symbol type conversion from the Rails XML parser. All versions after 2.0 appear to be affected.

“This vulnerability is critical and given the popularity of Ruby on Rails, the impact is huge," Claudio Guarnieri, a security researcher at Rapid7, told SecurityWeek.

Ruby on Rails is an open-source Web framework intended to make it easier and simpler to design and deploy Web applications. Currently used by more than 240,000 websites, according to usage statistics on trends.builtwith.com, it appears the vulnerability was introduced in version 2.0 and has been present for the past six years.

"From a technical standpoint it's a very interesting and challenging vulnerability that can be exploited in several different ways with very dangerous outcomes, from SQL injection to code execution," Guarnieri said. He said organizations using Ruby on Rails for their Web applications should disable XML parsing.

There's no patch available for version 2.0.2, but administrators running that version of Rails can add a line at the bottom of a configuration file to fix the issue, according to a comment on the post announcing the upgrade. Older versions such as 1.1.6 are not affected.

The latest update comes a few days after the Ruby on Rails maintainers released a fix for an SQL injection vulnerability (CVE-2012-5664) in the framework. The flaw was in the way dynamic finders in Active Record extract options from method parameters, according to the earlier advisory. Considering the framework's popularity, the vulnerability received a lot of attention, but many security experts downplayed the significance, saying the flaw would not affect many organizations.

“The SQL flaw identified in CVE-2012-5664 is a non-issue for most organizations since it requires an exposed secret token or a non-standard code path to become exploitable," HD Moore, CSO and Chief Architect of Rapid7, told SecurityWeek.

In contrast, the issues highlighted in CVE-2013-0156 affect all Rails applications in their default configuration and one of the results is the ability to trigger the same sort of SQL injection issue without requiring access to the secret token, Moore said. Penetration testing framework Metasploit has already updated its application and is working on a testing module for the vulnerability.

"The YAML deserialization issue covered in CVE-2013- 0156 can lead to remote code execution as well, which is a much more significant impact than SQL injection," Moore said.

While there is a lot of information available about vulnerability, the researcher who publicized the issue stopped short of releasing a working proof-of-concept. A quick review of common Ruby on Rails classes didn't turn up any obvious paths to exploit the issues, but it's possible there is more than one attack path available, Moore noted on the Metasploit blog.

With the vulnerability public, there are concerns an exploit is on the way. "The risk of compromise will escalate in the next days with weaponized exploits likely coming out,” Guarnieri predicted.

Ruby on Rails also closed a denial of service bug in 3.2.11, 3.1.10, 3.0.19, or 2.3.15. This flaw is triggered when Active Record is used when JSON parameters are being parsed. While attackers won't be able to insert arbitrary values, they can "issue unexpected database queries," the advisory said. This issue affects version 3.x of Rails.

Subscribe to the SecurityWeek Email Briefing
view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.