Security Experts:

A Hard Knock Life - Ruby on Rails Vulnerabilities and System Hardening

Last week, Ruby on Rails (RoR), a popular web application framework, was reported as vulnerable to critical vulnerabilities. In this column I discuss the technical details of these vulnerabilities and show how web applications’ administrators can avoid these and similar problems in the first place with some proper system hardening. We will also suggest a cost effective method to achieve the desired “hardened system” status with security solutions equipped with machine learning capabilities.

Ruby on Rails Recent Vulnerabilities: Technical Details Explained

Ruby on RailsBoth of the reported vulnerabilities stem from RoR’s parsing code. The parser’s handling of complex objects representations such as the XML and JSON serialization formats, failed to address some esoteric scenarios which gave rise to several security issues. If you don’t like any more technical details, you can proceed to the next section. 

The root cause of the CVE-2013-0155 vulnerability is an unexpected usage of the JSON serialization format. An attacker using the JSON serialization format can trick a Ruby application which expects its parameters to be of an atomic type (i.e. an integer or a string) and pass a JSON’s array instead. With this unexpected input, the attacker is able to smuggle an empty value (“NULL”) as the only element of an array, and bypass an application specific use of the “IS NULL” check designed for atomic types, as the array itself in not empty.

The essence of the CVE-2013-0156 vulnerability is an unexpected usage of the XML serialization format. The RoR parser can be told by the attacker to automatically generate some complex objects, such as the YAML type, via the XML serialization format. The YAML complex object instantiation may involve evaluating some arbitrary, attacker controlled, Ruby code. Some sources report they were able to abuse this vulnerability to run some arbitrary operating system (OS) commands.

Note that the latter vulnerability (CVE-2013-0156) is much more dangerous than the former (CVE-2013-0156). While CVE-2013-0155 is very context and application specific, CVE-2013-0156 is far more general, as it’s not related to a specific RoR application, but to all RoR applications, as the vulnerability resides in the RoR infrastructure itself.

Hardening - Making Your System a Hard Candy for Attackers

Wikipedia defines system hardening as “the process of securing a system by reducing its surface of vulnerability. A system has a larger vulnerability surface the more that it does; in principle a single-function system is more secure than a multipurpose one. Reducing available vectors of attack typically includes the removal of unnecessary software, unnecessary usernames or logins and the disabling or removal of unnecessary services.”

When the application is promoted from development to production, the system configuration must be hardened to disable any irrelevant parts that may help the attacker. In the hardening process detailed error messages should be disabled, excessive file and directory permissions should be restricted, source code leftovers should be deleted and so on.

In the case of the RoR vulnerabilities, a well hardened system would have saved the day for most RoR web applications. Many applications don’t use XML serialization at all. From those who do use it, only a minority are actually using the YAML serialization format. Therefore, the vast majority of the RoR powered applications don’t need a YAML support at all. If these systems would have been hardened to block the usage of XML, or YAML within XML, they would not have been vulnerable to CVE-2013-0156. A similar argument can be made for JSON system hardening with respect to the CVE-2013-0155 vulnerability.

Hardening is Made Easy with Machine Learning Solutions

Achieving the status of a fully hardened system is a very hard and time consuming task when it’s manually done. The hardening process requires a vast knowledge in many different aspects of IT and development and involves many details. Luckily, the daunting task of hardening can be done automatically. A system equipped with machine learning capabilities is able to observe the usual usage patterns of the application and detect any anomalies to it, by thus performing an automatic, ongoing, hardening process.

In the RoR vulnerabilities case, a Web Application Firewall (WAF) equipped with machine learning capabilities is able to detect the normal usage of web application, and automatically detect the abnormal usage of a new parameter or a new parameter’s format.

Another use case from a different IT domain would be user’s database privileges hardening. A Database Activity Monitoring (DAM) solution equipped with machine learning capabilities can learn the usual usage patterns of a user, e.g. the tables she actually query. When she (or most probably a malware on her machine abusing her credentials) attempts to access a table that she is technically allowed to due to excessive access privileges, but never did before, the DAM would detect it, by thus performing an automatic user’s database privileges hardening.

Summing up, system hardening is a very powerful security tool. Using security solutions which include some built in machine learning capabilities is the most cost-effective way to achieve a hardened system status.

Related: Web Application Firewalls - Three Benefits You May Not have Considered

view counter
Tal Be’ery is a Senior Security Research Manager in Microsoft, formerly the VP of Research at Aorato (acquired by Microsoft), developing Microsoft Advanced Threat Analytics (ATA). Previously, Tal managed various security project teams in several companies. Tal holds a B.Sc and an M.Sc degree in Electrical Engineering and Computer Science and is a Certified Information Systems Security Professional (CISSP). He is the lead author of the TIME attack against HTTPS, has been a speaker at security industry events including RSA, Blackhat and AusCERT and was included by Facebook in their whitehat security researchers list. (Twitter: @talbeerysec)