Update for Critical RubyGems Hole

Tuesday, June 30, 2015 @ 03:06 PM gHale

A vulnerability in RubyGems, a package manager for the Ruby programming language, can end up exploited to trick end users into installing malware from attacker-controlled gem servers, researchers said.

The vulnerability could impact as many as 1.2 million software installations per day, Trustwave researchers calculated with the help of OpenDNS security researcher Anthony Kasza. RubyGems ends up used by businesses including start-ups, social media sites and payment gateway companies.

Unpatched IE11 Vulnerability Released
Siemens Fixes XSS Vulnerability
PACTware Fixes Exceptional Conditions Hole
Wind River Patches TCP Predictability Hole
Wonderware Patches Vulnerability

A Ruby gem is a standard packaging format used for distributing Ruby libraries and applications. Gems push out by developers to gem (distribution) servers, from which users can download them.

“The RubyGems client has a ‘Gem Server Discovery’ functionality, which uses a DNS SRV request for finding a gem server. This functionality does not require that DNS replies come from the same security domain as the original gem source, allowing arbitrary redirection to attacker controlled gem servers,” researchers said in a blog post.

“The vulnerability (CVE-2015-3900) allows an attacker to redirect a RubyGem client that is using HTTPS to an attacker controlled gem server; this effectively bypasses HTTPS verification on the original HTTPS gem source. This means that the attacker can force the user to install malicious/trojaned gems,” the researchers said.

Developers signing their Ruby gems could be a way to partially mitigate the risk, but the overwhelming majority of them don’t, so another, reliable solution went out via RubyGems developers, who pushed out a fix in mid-May.

Another fix ended up needed afterward since researchers discovered a new vulnerability (CVE-2015-4020) that allowed attackers to redirect users to domains that end with the original security domain. Officials patched the second bug June 8.

“These issues affect the RubyGems client and any environment that embeds the RubyGems client. Ruby, JRuby, and Rubinuius have all been confirmed to embed the RubyGems client and are affected by CVE-2015-3900,” the researchers said.

Users should update all of those to the latest versions provided, but to keep in mind the mechanism for updating to a fixed version of RubyGems also uses the same vulnerable functionality, so updating while on a secure network is a good idea.