Researchers of Trustwave have uncovered a serious vulnerability in RubyGems that can exploit the package manager of Ruby’s programming language to trick users. This vulnerability can install malware from attacker controlled gem servers.
The scope of vulnerability could reach as many as 1.2 million software installations per day according to calculation supported by OpenDNS security researcher Anthony Kasza. RubyGems is used by many businesses including social media sites, payment gateway companies and start-ups.
A Ruby gem is a regular packaging format used for dealing out Ruby applications and libraries. Users can download gems from gem distribution servers that are pushed by their developers.
“The RubyGems client has a ‘Gem Server Discovery’ functionality, which uses a DNS SRV request for finding a gem server. This functionality does not require that DNS replies come from the same security domain as the original gem source, allowing arbitrary redirection to the attacker-controlled gem servers,” the Trustwave researchers explained in a blog post.
The Vulnerability CVE-2015-3900
It gives permission to the attacker to redirect a RubyGems user who is using HTTPS to an attacker controlled gem server. Thus, HTTPS verification on the original HTTPS gem source efficiently gets round, and the attacker can compel the user to install malicious gems. CVE-2015-3900 also affects anything that embeds RubyGems client’s environment as JRuby and Rubinius.
Users are advised to make updates to the latest versions provided but to keep in mind that the method of updating to a fixed version of RubyGems could use the same vulnerable technique. Therefore, it is better to make the update on a secure network.