Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researchers Uncover Critical RubyGems Vulnerabilities

Researchers at Trustwave have uncovered critical vulnerabilities in RubyGems, the package manager for the Ruby programming language.

Researchers at Trustwave have uncovered critical vulnerabilities in RubyGems, the package manager for the Ruby programming language.

The first flaw, CVE-2015-3900, is a request hijacking vulnerability and has been patched. 

According to Jonathan Claudius, lead security researcher at Trustwave, the vulnerability is critical because it allows a cyber-criminal to remotely execute code on Ruby users when they are trying to install a RubyGem.

“It’s trivial to exploit,” he told SecurityWeek. “An attacker simply needs to poison a DNS record to gain remote code execution on a given client machine.”

According to Trustwave, the RubyGems client has a ‘Gem Server Discovery’ feature that uses a DNS SRV request for finding a gem server. This functionality does not require that DNS replies come from the same security domain as the original gem source, which allows arbitrary redirection to attacker-controlled gem servers. As a result, an attacker could force the user to install malicious gems.

While RubyGem signing is a mitigation strategy for the issue, it is barely used in the RubyGem ecosystem, according to Trustwave. After CVE-2015-3900 was fixed, Trustwave identified CVE-2015-4020, which allows attackers to redirect users to domains that end with the original security domain – for example, an attacker-controlled rubygems.org.

The bugs could impact a significant number of users. According to Trustwave, OpenDNS security researcher Anthony Kasza found that OpenDNS sees roughly 24,000 requests for the DNS SRV record each day, meaning there are 24,000 gem installations per day discounting local system caches, gem dependencies and gem installation typos. Since OpenDNS sees about two percent of the world’s Internet traffic, assuming each area of the world has the same likelihood of installing gem packages, which could mean there are 1.2 million gem installations per day across the Internet.

Ruby fixed the first vulnerability May 14th and the second one on June 8th.

Advertisement. Scroll to continue reading.

As an example of an attacker scenario, Claudius said, imagine a user goes into a coffee shop with free Wi-Fi and installs Ruby-based software and either the coffee shop owner or a malicious party forges a bad DNS response that points the user to a malicious gem server.

“At that time, the user will download and install potentially Trojaned software and compromise their workstation,” he said.

The issues could also be attacked in a broad, wide-sweeping DNS poisoning attack affecting the entire RubyGem ecosystem, he said.

Trustwave suggests user upgrade their RubyGem client in all of their Ruby environments to 2.4.8 or higher. In addition, verify all RubyGem sources are using HTTPS using the “gem sources” command. For gem producers, consider gem-signing, the firm recommends. Gem consumers should use the strongest gem installation trust policies supported by their gem provider, according to the firm.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.