Trustwave SpiderLabs Security Advisory TWSL2015-007: Request Hijacking Vulnerability In RubyGems Published: 09/08/15 Version: 1.2 Vendor: RubyGems (https://rubygems.org/) Product: RubyGems Client Version affected: RubyGems 2.0 before 2.0.16, 2.2 before 2.2.4, 2.4 before 2.4.7 Ruby versions before 2.2.3 JRuby versions before 1.7.21 and before 9.0.0.0.rc1 Rubinius versions before 1.4.9 and before 2.5.6 Product description: RubyGems is a packaging and distribution library for Ruby. Finding: Request Hijacking Vulnerability In RubyGems Credit: Jonathan Claudius and Brandon Myers of Trustwave CVE: CVE-2015-3900 The RubyGems client supports a gem server API discovery functionality, which is used when pushing or pulling gems to a gem distribution/hosting server, like RubyGems.org. This functionality is provided via a SRV DNS request to the users gem source hostname prepended with "_rubygems._tcp.". The response to this request tells the RubyGems client (aka: the gem command) where the users gem server API is. In the default RubyGems scenario, with a gem source of https://rubygems.org, the users SRV DNS request and reply will look like this: ~ $ dig srv _rubygems._tcp.rubygems.org +short 0 1 80 api.rubygems.org. Due to a lack of DNS response verification, a MiTM positioned attacker can poison the DNS response to this record response and force the client to unknowingly download and install Ruby gems from an attacker controlled gem server in an alternate security domain. An example of such a scenario would look like so: ~ $ dig srv _rubygems._tcp.rubygems.org +short 0 1 80 api.attackercontrolled.com. In such a scenario, the attacker is able to serve the client malicious gem content, resulting in trivial remote code execution scenarios. For example, the attacker could simply modify the gem source code and trigger code execution via the extensions API at install time on the client machine (a gem trojaning technique described by Ben Smith in his "Hacking with Gems" presentation at Aloha Ruby Conference in 2012 - https://www.youtube.com/watch?v=z-5bO0Q1J9s)/ Remediation Steps: Run "gem update --system" to upgrade to a fixed version. Revision History: 05/06/15 - Vulnerability disclosed to vendor 05/06/15 - Vendor Acknowledgement 05/14/15 - Patch and Blog posts released by vendor 05/18/15 - v1.0 Advisory published 06/10/16 - v1.1 Advisory published (correct Ruby ranges, add JRuby/Rubinius, add credits) 09/08/15 - v1.2 Advisory published (add explicit Ruby/JRuby/Rubinus affected ranges/refs) Additional Credits: Evan Phoenix and of RubyGems (for RubyGems patch) Matthaus Owens of Puppet Labs (for JRuby pull #3030) References 1. http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html 2. http://blog.rubygems.org/2015/05/14/2.4.7-released.html 3. http://blog.rubygems.org/2015/05/14/2.2.4-released.html 4. https://github.com/rubygems/rubygems/commit/329c7555fbe2e6d08dae57e61bb5e8171c579e4a 5. https://github.com/jruby/jruby/pull/3030 6. https://github.com/rubinius/rubinius/pull/3435 7. https://github.com/rubinius/rubinius/releases/tag/v2.5.6 8. https://github.com/rubinius/rubinius/releases/tag/v1.4.9 9. http://jruby.org/2015/06/10/jruby-9-0-0-0-rc1.html 10. http://jruby.org/2015/07/07/jruby-1-7-21.html 11. https://www.ruby-lang.org/en/news/2015/08/18/ruby-2-2-3-released/ About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risks. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs while safely embracing business imperatives including big data, BYOD and social media. More than 2.5 million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.