Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researchers Uncover Critical RubyGems Vulnerabilities

Researchers at Trustwave have uncovered critical vulnerabilities in RubyGems, the package manager for the Ruby programming language.

Researchers at Trustwave have uncovered critical vulnerabilities in RubyGems, the package manager for the Ruby programming language.

The first flaw, CVE-2015-3900, is a request hijacking vulnerability and has been patched. 

According to Jonathan Claudius, lead security researcher at Trustwave, the vulnerability is critical because it allows a cyber-criminal to remotely execute code on Ruby users when they are trying to install a RubyGem.

“It’s trivial to exploit,” he told SecurityWeek. “An attacker simply needs to poison a DNS record to gain remote code execution on a given client machine.”

According to Trustwave, the RubyGems client has a ‘Gem Server Discovery’ feature that uses a DNS SRV request for finding a gem server. This functionality does not require that DNS replies come from the same security domain as the original gem source, which allows arbitrary redirection to attacker-controlled gem servers. As a result, an attacker could force the user to install malicious gems.

While RubyGem signing is a mitigation strategy for the issue, it is barely used in the RubyGem ecosystem, according to Trustwave. After CVE-2015-3900 was fixed, Trustwave identified CVE-2015-4020, which allows attackers to redirect users to domains that end with the original security domain – for example, an attacker-controlled rubygems.org.

The bugs could impact a significant number of users. According to Trustwave, OpenDNS security researcher Anthony Kasza found that OpenDNS sees roughly 24,000 requests for the DNS SRV record each day, meaning there are 24,000 gem installations per day discounting local system caches, gem dependencies and gem installation typos. Since OpenDNS sees about two percent of the world’s Internet traffic, assuming each area of the world has the same likelihood of installing gem packages, which could mean there are 1.2 million gem installations per day across the Internet.

Ruby fixed the first vulnerability May 14th and the second one on June 8th.

As an example of an attacker scenario, Claudius said, imagine a user goes into a coffee shop with free Wi-Fi and installs Ruby-based software and either the coffee shop owner or a malicious party forges a bad DNS response that points the user to a malicious gem server.

“At that time, the user will download and install potentially Trojaned software and compromise their workstation,” he said.

The issues could also be attacked in a broad, wide-sweeping DNS poisoning attack affecting the entire RubyGem ecosystem, he said.

Trustwave suggests user upgrade their RubyGem client in all of their Ruby environments to 2.4.8 or higher. In addition, verify all RubyGem sources are using HTTPS using the “gem sources” command. For gem producers, consider gem-signing, the firm recommends. Gem consumers should use the strongest gem installation trust policies supported by their gem provider, according to the firm.

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.