Delving into the four recent RubyGems vulnerabilities

A few days ago, a blog was released by RubyLang and RubyGems stating that they had fixed multiple vulnerabilities. The four vulnerabilities that were found are described as follows:

1. a DNS request hijacking vulnerability 
2. an ANSI escape sequence vulnerability 
3. a denial of service vulnerability in the query command 
4. an arbitrary file overwrite while installing a gem

Lets break these vulnerabilities down into attack types, potential impact and how they fixed the issue.

DNS Request Hijacking Vulnerability

Attack Type: Man-in-the-middle (MitM) 
Potential Impact: Compromised Gem integrity
Severity: High
RubyGem users are able to specify the gem server API location that they wish to use. This value by default is https://rubygems.org. This URL is used to make a SRV DNS request and reply; however, there was a flaw in the DNS response verification. This flaw allowed man-in-the-middle attackers to change the url within the DNS response received from the server to a malicious one. Thinking the response is correct, the client would proceed to download gems from the malicious server. A code snippet containing a proof of concept can be found in the comments of the fix commit.
Fix: Matching the hostname returned in the DNS response to the hostname of the target URI.
Fix Commit: This one!

ANSI Escape Sequence Vulnerability

Attack Type: Escape Character Injection
Potential Impact: Terminal output is printed incorrectly
Severity: Low
Gem authors were able to insert escape characters into fields of the the gemspec that would then be printed on the end-users’ terminal upon gem installation. 
Fix: ANSI control characters are removed before printing.
Fix Commit: This one!

Denial of Service in the Query Command

Attack Type: Denial of Service (DoS)
Potential Impact: Process temporarily hanging
Severity: Low
Gem authors were able to use unlimited characters within the “summary” field for a gem. If the string given is large enough, the process would temporarily hang whenever a user tried to query for information regarding that gem.
Fix: Gem authors are now limited to 100,000 character summaries.
Fix Commit: This one!

Arbitrary File Overwrite

Attack Type: Directory Traversal
Potential Impact: Gems to be installed in unintended folders
Severity: Medium
Gem authors were previously not restricted by the characters used in gem names. This allowed attackers to use the ../ character sequence within a gem name to change the location that the gem was installed on. Using this, they could potentially overwrite other files on the users’ systems when the gem is installed onto a machine. To learn more about directory traversal attacks see my previous blog: Diving into Directory Traversal Vulnerabilities in Open-Source.
Fix: Gem names may now only contain numbers, letters, underscores (_), dashes (-) and dots(.).
Fix Commits: These two!

As of August 31, 2017 a new version of Ruby that contains a bundled fix for the RubyGems vulnerabilities has yet to be released. While as of today, only a few people were impacted, we highly recommend that you mitigate these issues on your system. To do this, you need to upgrade your version of RubyGems by running this command:
gem update --system

Some of the vulnerable gems we have in the SourceClear registry are affected by similar vulnerabilities. An example of these are:

  • Through the ciborg gem, attackers are able to overwrite files using symlink attacks (SVE-1720)
  • Through the excon gem, attackers can perform man-in-the-middle(MitM) attacks and compromise the integrity of the gem installed (SVE-3363)

These vulnerabilities are SVEs (SourceClear Vulnerabilities and Exposures) identified by the security research team, which means they don’t have an NVD issued CVE number. To read more about SVEs affecting gems in Ruby see our post on Cross-Site Forgery (CSRF) Attacks that impacted over 50,000 Ruby developers.

If you are using Ruby and want to scan your projects, you can sign up for a demo or dive right in with our free 30 day trial.

Show your support

Clapping shows how much you appreciated Vanessa Henderson’s story.