14 DAY TRIAL // A vulnerability in RubyGems can be exploited by an attacker to redirect clients to malicious gem servers for installing Ruby applications.
RubyGems is a package manager that allows distribution of Ruby programs or libraries in a standard format called a “gem.” For easier distribution, the packages can be pushed by developers to special servers from where clients can retrieve the necessary resources.
A gem server can be tracked via a DNS SRV request, through a feature called “Gem Server Discovery.”
Clients using HTTPS are not safe, either
The security flaw (CVE-2015-3900) discovered by Brandon Myers and Jonathan Claudius, security researchers at Trustwave, consists in a lack of verification that the DNS response comes from the same domain as the original gem source.
An attacker in a position between the client and the server could alter the DNS response and direct the client to downloading the Ruby resources from an arbitrary server, potentially leading to remote code execution risks.
The researchers say that the vulnerability permits redirection even if HTTPS is used. “This effectively bypasses HTTPS verification on the original HTTPS gem source allowing an attacker to force the user to install malicious/trojaned gems,” they say in a blog post published on Tuesday.
Developers should update to the latest RubyGems
Signing the gems would be one way to stay safe against such an attack, but Claudius says this is not a common practice in the Ruby gem ecosystem, stating that none of the top 10 gems are signed.
However, despite this kind of validation, researchers demonstrated that the security flaw can be leveraged where HighSecurity trust policy is not used. Otherwise, gems can be altered in transit via a downgrade attack.
A patch for CVE-2015-3900 was delivered in mid-May, but Claudius said that it did not plug the hole properly and it could be bypassed (CVE-2015-4020) to redirect users to domains that ended with the original security domain.
Users are advised to update the RubyGems client to version 2.4.8 or later. In collaboration with OpenDNS, Trustwave estimated that the number of possible gem installations per day is 1.2 million, meaning that a potential annual figure could rise to 438 million.
Video demonstration of the vulnerabilities: