14 May 2015
CVE-2015-3900 Request hijacking vulnerability in RubyGems 2.4.6 and earlier
by Evan Phoenix
RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record _rubygems._tcp under the original requested domain.
For example, this is the one that users who use rubygems.org see:
> dig _rubygems._tcp.rubygems.org SRV ;; ANSWER SECTION: _rubygems._tcp.rubygems.org. 600 IN SRV 0 1 80 api.rubygems.org.
RubyGems did not validate the hostname returned in the SRV record before sending requests to it.
This left clients open to a DNS hijack attack, whereby an attacker could return a SRV of their choosing and get the client to use it. For example:
> dig _rubygems._tcp.rubygems.org SRV ;; ANSWER SECTION: _rubygems._tcp.rubygems.org. 600 IN SRV 0 1 80 gems.nottobetrusted.wtf
The fix, detailed at on github, shows that we validate the record now to be under the original domain. This restricts the client to be using the original trust/security domain as they would have otherwise.
RubyGems versions between 2.0 and 2.4.6 are vulnerable.
RubyGems version 2.0.16, 2.2.4, and 2.4.7 have been released that fix this issue.
Ruby versions 1.9.0 through 2.2.0 are vulnerable as they contain embedded versions of RubyGems.
Patch for All versions
This vulnerability was reported by Jonathan Claudius JClaudius@trustwave.com.