RubyGems make life easier for developers to distribute software to users. A vulnerability in the Ruby package manager could make life easier for hackers to redirect victims to trouble.
Disclosed today by researchers at Trustwave and OpenDNS, the vulnerability, CVE-2015-3900, enables an attacker to redirect a RubyGem client to a gem server controlled by the attacker where additional malware or exploits can be executed.
The problem is noteworthy on several fronts. One in particular surfaces when clients using HTTPS can also be redirected, bypassing HTTPS verification on the original gem source.
“This means that the attacker can force the user to install malicious/trojaned gems,” researchers at Trustwave said.
Additional trouble was found via the RubyGems Gem Server Discovery feature that uses a DNS SRV request in order to find gem servers.
“This functionality does not require that DNS replies come from the same security domain as the original gem source, allowing arbitrary redirection to attacker controlled gem servers,” Trustwave said, adding that proof of concept Gem Trojaning service written by its researchers exploits the vulnerability and transparently turns a RubyGem into a Trojan as a user installs it.
Trustwave, in collaboration with OpenDNS, estimates that more than a million software installations daily could be affected, extrapolating out to 438 million annually.
RubyGems’ maintainers have fixed the issue, but users must upgrade RubyGem clients in all Ruby environments to 2.4.8 or higher.
The breadth of those affected by the vulnerability is also going to give birth to debates over whether gems should be signed. Trustwave said that none of the top 10 gems are signed, and that list includes rake, rack, json and rails.
“Ruby gem signing is an obvious mitigation strategy for the above mentioned transport security issues. However, gem signing is barely used in the Ruby gem ecosystem,” Trustwave said. “We demonstrated that even if you are using signed gems, by using CVE-2015-3900, you must be using the HighSecurity trust policy or gems can still be trojaned in transit due to a signing downgrade attack.”
RubyGems are used in Ruby libraries and applications. It’s a standard packaging format used by developers to build and distribute software. Once the vulnerability was patched, Trustwave said it identified an additional bypass that an attacker can use to redirect users to a domain that ends with the original security domain; Trustwave provided the example: attackercontrolledrubygems.org.
“These issues affect the RubyGems client and any environment that embeds the RubyGems client. Ruby, JRuby, and Rubinuius have all been confirmed to embed the RubyGems client and are affected by CVE-2015-3900,” Trustwave said. “The mechanism for updating to a fixed version of RubyGems also uses the same vulnerable functionality we’re trying to protect.”