RubyGems Software Flaw Affects Millions of Installs

Trustwave researchers, using collaborative research data from OpenDNS, have discovered a vulnerability that could affect 1.2 million software installations per day.

The issue affects the RubyGems distribution software, which is used by a range of businesses, including start-ups, social media sites and payment gateway companies—to the tune of 438 million installations per year. RubyGems helps businesses and application developers distribute software to a central location so that end users can download it and use it. 

The vulnerability can be exploited to unknowingly lead end users to a server that’s controlled by criminals. Criminals can then feed the end user malware, compromising the computer and gaining access to all of the victim’s sensitive information. And the kicker is that the attack would be unnoticeable to the end user.

To understand the issue, it’s necessary to understand how RubyGems works.

“A Ruby gem is a standard packaging format used for Ruby libraries and applications,” explained the Trustwave researchers, in a blog shared with Infosecurity prior to publication. “This…allows Ruby software developers a clearly defined format in which they can reliably build and distribute software. Developers push Ruby gems to a distribution server (aka: a gem server) whereby users can then install the Ruby application.”

The RubyGems client has a Gem Server Discovery functionality, which uses a DNS SRV request for finding a gem server. Here’s the crux of the issue: This functionality does not require that DNS replies come from the same security domain as the original gem source, allowing arbitrary redirection to attacker controlled gem servers.

An attacker can redirect a RubyGem client who is using HTTPS to an attacker controlled gem server; this effectively bypasses HTTPS verification on the original HTTPS gem source.  This means that the attacker can force the user to install malicious/trojaned gems. Trustwave actually wrote a fully functional Gem Trojaning service that demonstrates how an attacker could simply Trojan Ruby gems transparently over the wire while the user was installing them.

So far there haven’t been any in-the-wild exploitation attempts, but the magnitude of the potential attack surface is notable.

“OpenDNS sees roughly 24,000 requests for the DNS SRV record in question per day, inferring 24,000 gem installations per day if we discount local system caches, gem dependencies and gem installation typos,” the researchers said. “Given that OpenDNS sees about two percent of the world’s Internet traffic—assuming each region of the world has the same likelihood of installing gem packages—that’s a possible 1.2 Million gem installations per day across the entire Internet (or 438 Million gem installs per year) that could be affected.”

Users should upgrade their RubyGem client in all Ruby environments to 2.4.8 or greater, and verify that all Ruby gem sources are using HTTPS. Producers can also sign their gems to provide options to users as to whether they want to verify the integrity of the gem. Gem consumers can meanwhile start using gem installation trust policies.

Trustwave researchers, using collaborative research data from OpenDNS, have discovered a vulnerability that could affect 1.2 million software installations per day.

The issue affects the RubyGems distribution software, which is used by a range of businesses, including start-ups, social media sites and payment gateway companies—to the tune of 438 million installations per year. RubyGems helps businesses and application developers distribute software to a central location so that end users can download it and use it. 

The vulnerability can be exploited to unknowingly lead end users to a server that’s controlled by criminals. Criminals can then feed the end user malware, compromising the computer and gaining access to all of the victim’s sensitive information. And the kicker is that the attack would be unnoticeable to the end user.

To understand the issue, it’s necessary to understand how RubyGems works.

“A Ruby gem is a standard packaging format used for Ruby libraries and applications,” explained the Trustwave researchers, in a blog shared with Infosecurity prior to publication. “This…allows Ruby software developers a clearly defined format in which they can reliably build and distribute software. Developers push Ruby gems to a distribution server (aka: a gem server) where by users can then install the Ruby application.”

The RubyGems client has a Gem Server Discovery functionality, which uses a DNS SRV request for finding a gem server. Here’s the crux of the issue: This functionality does not require that DNS replies come from the same security domain as the original gem source, allowing arbitrary redirection to attacker controlled gem servers.

An attacker can redirect a RubyGem client that is using HTTPS to an attacker controlled gem server; this effectively bypasses HTTPS verification on the original HTTPS gem source.  This means that the attacker can force the user to install malicious/trojaned gems. Trustwave actually wrote a fully functional Gem Trojaning service that demonstrates how an attacker could simply Trojan Ruby gems transparently over the wire while the user was installing them.

So far there haven’t been any in-the-wild exploitation attempts, but the magnitude of the potential attack surface is notable.

“OpenDNS sees roughly 24,000 requests for the DNS SRV record in question per day, inferring 24,000 gem installations per day if we discount local system caches, gem dependencies and gem installation typos,” the researchers said. “Given that OpenDNS sees about two percent of the world’s Internet traffic—assuming each region of the world has the same likelihood of installing gem packages—that’s a possible 1.2 Million gem installations per day across the entire Internet (or 438 Million gem installs per year) that could be affected.”

Users should upgrade their RubyGem client in all Ruby environments to 2.4.8 or greater, and verify that all Ruby gem sources are using HTTPS. Producers can also sign their gems to provide options to users as to whether they want to verify the integrity of the gem. Gem consumers can meanwhile start using gem installation trust policies.

What’s Hot on Infosecurity Magazine?