RubyGems create life easier for developers to distribute software package to users. A vulnerability within the Ruby package manager might create life easier for hackers to send victims to bother.
Disclosed nowadays by researchers at Trustwave and OpenDNS, the vulnerability, CVE-2015-3900, permits Associate to send a RubyGem consumer to a gem server controlled by the aggressor wherever further malware or exploits is dead.
The problem is noteworthy on many fronts. One especially surfaces once HTTPS clients also can be redirected, bypassing HTTPS verification on the initial gem supply.
“This implies that the aggressor will force the user to put in malicious/trojaned gems,” researchers at Trustwave aforesaid.
Additional trouble was found via the RubyGems Gem Server Discovery feature that uses a DNS SRV request so as to seek out gem servers.
“This practicality doesn’t need that DNS replies come back from a similar security domain because the original gem supply, permitting discretionary redirection to aggressor controlled gem servers,” Trustwave aforesaid, adding that proof of concept Gem Trojaning service written by its researchers exploits the vulnerability and transparently turns a RubyGem into a Trojan as a user installs it.
Trustwave, in collaboration with OpenDNS, estimates that more than a million software installations daily could be affected, extrapolating out to 438 million annually.
RubyGems’ maintainers have fixed the issue, but users must upgrade RubyGem clients in all Ruby environments to 2.4.8 or higher.
The breadth of those affected by the vulnerability is also going to give birth to debates over whether gems should be signed. Trustwave said that none of the top 10 gems are signed, and that list includes rake, rack, json and rails.
“Ruby gem signing is an obvious mitigation strategy for the above mentioned transport security issues. However, gem signing is barely used in the Ruby gem ecosystem,” Trustwave said. “We demonstrated that even if you are using signed gems, by using CVE-2015-3900, you must be using the HighSecurity trust policy or gems can still be trojaned in transit due to a signing downgrade attack.”
RubyGems are used in Ruby libraries and applications. It’s a standard packaging format used by developers to build and distribute software. Once the vulnerability was patched, Trustwave said it identified an additional bypass that an attacker can use to redirect users to a domain that ends with the original security domain; Trustwave provided the example: attackercontrolledrubygems.org.
“These issues affect the RubyGems client and any environment that embeds the RubyGems client. Ruby, JRuby, and Rubinuius have all been confirmed to embed the RubyGems client and are affected by CVE-2015-3900,” Trustwave said. “The mechanism for updating to a fixed version of RubyGems also uses the same vulnerable functionality we’re trying to protect.”