Just two days after the disclosure of a string of serious vulnerabilities in Ruby on Rails, researchers have released proof-of-concept exploit code for a couple of the flaws and the team at Metasploit have released a module for the penetration testing framework that exploit one of the bugs, as well.
The CVE-2013-0156 vulnerabilities in Ruby on Rails enable an attacker to take a variety of unwanted actions on vulnerable applications, including executing arbitrary code, accessing data on a backend database and bypassing the authentication system. Researchers have warned about the seriousness of these bugs and recommended that users update their installations immediately.
And that was before the exploit code and Metasploit module were published. Now, the urgency to move to a fixed version of Ruby on Rails has ratcheted up a few notches.
Adam O’Donnell of Sourcefire said in an analysis of the vulnerabilities that the most serious bug could be used for a fast-moving worm, but that isn’t even the most troubling scenario.
“It is my opinion that we have to consider that a worm is not the most serious threat we could face. The worst case situation is that attackers use the vulnerability to silently compromise massive numbers of vulnerable websites, grab everything from the database, and install persistent backdoors in the infrastructure of every organization running the vulnerable code. They could also silently post a client-side exploit that targets people who come to that site, commonly known as a Watering Hole attack. A worm would likely force everyone to fix their infrastructure immediately, while silent exploitation may not be as motivating,” O’Donnell said.
Ruby on Rails is a hugely popular Web application framework but it has not been in the security spotlight much in recent years. While software such as Java and Flash have taken turns as attackers’ favorite playthings, and the ASP.NET framework has had its problems as well, but Ruby on Rails has been mostly below the waterline. No longer.
As O’Donnell points out, the threat from attacks on this vulnerability is real and isn’t going away anytime soon.
“If you are running Rails code, stop what you are doing and upgrade your Rails environment right now. If you are managing people who are writing Rails code, get them to upgrade their environment immediately. If you are a web hoster that has a significant number of people running Rails code, contact your customers and get them to upgrade,” O’Donnell said.
The Metasploit module released on Wednesday works against versions 2.x and 3.x.