Critical RubyGems vulns can lead to installation of malicious apps

A serious vulnerability in RubyGems, a package manager for the Ruby programming language, can be exploited to trick end users into installing malware from attacker-controlled gem servers, Trustwave researchers have discovered.

The vulnerabilities could impact as many as 1.2 million software installations per day, they calculated with the help of OpenDNS security researcher Anthony Kasza. RubyGems is used by many businesses including start-ups, social media sites and payment gateway companies.

A Ruby gem is a standard packaging format used for distributing Ruby libraries and applications. Gems are pushed by developers to gem (distribution) servers, from which users can download them.

“The RubyGems client has a ‘Gem Server Discovery’ functionality, which uses a DNS SRV request for finding a gem server. This functionality does not require that DNS replies come from the same security domain as the original gem source, allowing arbitrary redirection to attacker controlled gem servers,” the researchers explained.

“The vulnerability (CVE-2015-3900) allows an attacker to redirect a RubyGem client that is using HTTPS to an attacker controlled gem server; this effectively bypasses HTTPS verification on the original HTTPS gem source. This means that the attacker can force the user to install malicious/trojaned gems.”

Developers signing their Ruby gems could be a way to partially mitigate the risk, but the overwhelming majority of them don’t, so another, reliable solution has been offered by RubyGems developers, who pushed out a fix in mid-May.

Another fix was also needed after, as the researchers discovered a new vulnerability (CVE-2015-4020) that allowed attackers to redirect users to domains that end with the original security domain (e.g. attackercontrolledrubygems.org). The second bug was patched on June 8.

“These issues affect the RubyGems client and any environment that embeds the RubyGems client. Ruby, JRuby, and Rubinuius have all been confirmed to embed the RubyGems client and are affected by CVE-2015-3900,” the researchers pointed out.

Users are advised to update all of those to the latest versions provided, but to keep in mind that the mechanism for updating to a fixed version of RubyGems also uses the same vulnerable functionality, so updating while on a secure network is a good idea.

No attacks exploiting those vulnerabilities have yet been spotted “in the wild,” but it’s just a matter of time, the researchers feel, so users are advised to upgrade as soon as possible.

Users are also urged to verify that all their Ruby gem sources are using HTTPS, while gem “producers” are advised to start signing their gems, so that users can verify their integrity.

Don't miss