The maintainers of Ruby have fixed a serious flaw in its SSL client that could have allowed an attacker to conduct man-in-the-middle attacks by spoofing an SSL server.
The vulnerability lies in the OpenSSL toolkit that’s built in to Ruby and is present in several versions of the software from 1.8 through 2.0. An attacker exploiting the flaw could impersonate a trusted SSL server and intercept protected traffic intended for that server. The Ruby maintainers have released patches for the bug.
“A vulnerability in Ruby’s SSL client that could allow man-in-the-middle attackers to spoof SSL servers via valid certificate issued by a trusted certification authority,” the Ruby advisory says. “When a CA a SSL client trusts allows to issue the server certificate that has null byte in subjectAltName, remote attackers can obtain the certificate for ‘www.ruby-lang.org.example.com’ from the CA to spoof ‘www.ruby-lang.org’ and do man-in-the-middle between Ruby’s SSL client and SSL servers.”
The vulnerability affects version 1.8 up to 1.8.7 patchlevel 374, version 1.9 up to 1.9.3 patchlevel 448 and version 2.0 up to patchlevel 247.
An attacker with knowledge of the vulnerability would have the ability to compromise supposedly protected traffic between an SSL server and the Ruby SSL client, a major weakness. Man-in-the-middle attacks are among the more effective methods of gaining access to SSL-protected communications and those kinds of vulnerabilities are especially valuable for attackers of all stripes.
Image from Flickr photos of Mael Clerambault.