Sha256: 6a0ae7059deabacb02434a19864c35e96f2580b7646e4de9a82ab1f068c4c0f3
Contents?: true
Size: 1.43 KB
Versions: 31
Compression:
Stored size: 1.43 KB
Contents
= Request hijacking vulnerability in RubyGems 2.4.6 and earlier RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record _rubygems._tcp under the original requested domain. For example, this is the one that users who use rubygems.org see: > dig _rubygems._tcp.rubygems.org SRV ;; ANSWER SECTION: _rubygems._tcp.rubygems.org. 600 IN SRV 0 1 80 api.rubygems.org. RubyGems did not validate the hostname returned in the SRV record before sending requests to it. This left clients open to a DNS hijack attack, whereby an attacker could return a SRV of their choosing and get the client to use it. For example: > dig _rubygems._tcp.rubygems.org SRV ;; ANSWER SECTION: _rubygems._tcp.rubygems.org. 600 IN SRV 0 1 80 gems.nottobetrusted.wtf The fix, detailed at https://github.com/rubygems/rubygems/commit/6bbee35, shows that we validate the record now to be under the original domain. This restricts the client to be using the original trust/security domain as they would have otherwise. RubyGems versions between 2.0 and 2.4.6 are vulnerable. RubyGems version 2.0.16, 2.2.4, and 2.4.7 have been released that fix this issue. Ruby versions 1.9.0 through 2.2.0 are vulnerable as they contain embedded versions of RubyGems. This vulnerability was reported by Jonathan Claudius <JClaudius@trustwave.com>.
Version data entries
31 entries across 31 versions & 1 rubygems