The vulnerabilities patched Tuesday in the Ruby on Rails Web framework have security researchers warning of the potential for serious attacks and saying that one of the bugs in particular could be easy prey for attackers. The most serious of the flaws is in the parameter parsing function and could allow attackers to run arbitrary code in vulnerable apps.
The team behind the Metasploit Framework is in the process of developing a module for that specific vulnerability, something that often presages the release of public exploit code for a bug. A couple of researchers have claimed publicly that they had developed proof-of-concept code that can exploit the XML parsing flaw on virtually any application built on Ruby on Rails 3.x or 2.x.
HD Moore, the creator of Metasploit, said that the bug is a particularly nasty one. He said it “is more than likely the worst security issue that the Rails platform has seen to date.”
Ruby on Rails is a popular Web framework used to develop Web applications for a variety of uses. There are thousands of apps built on the framework and this is the second major security issue to crop up for Ruby on Rails in the last few days. Last week a serious SQL injection flaw in Ruby on Rails was disclosed, a problem that affects every current version of the framework.
The vulnerabilities patched on Tuesday affect a smaller portion of the current versions, but the consequences of an attack on the XML parsing bug could be just as serious as an attack on the SQL injection vulnerability,
“This vulnerability is critical and given the popularity of Ruby on Rails, the impact is huge. The flaw lies in the Ruby on Rails XML parsing component which can be subverted into processing a given request as a different format. From a technical standpoint it’s a very interesting and challenging vulnerability that can be exploited in several different ways with very dangerous outcomes, from SQL injection to code execution. Organizations that adopt Ruby on Rails in their applications and didn’t disable XML parsing, should update to versions 3.2.11, 3.1.10, 3.0.19, or 2.3.15 as soon as possible as the risk of compromise will escalate in the next days with weaponized exploits likely coming out,” said Claudio Guarnieri, a security researcher at Rapid7, said.
The maintainers of Ruby on Rails have recommended that users update their software immediately to one of the versions that includes the patches.