-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
40 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
= Request hijacking vulnerability in RubyGems 2.4.5 and earlier | ||
|
||
RubyGems provides the ability of a domain to direct clients to a separate | ||
host that is used to fetch gems and make API calls against. This mechanism | ||
is implemented via DNS, specificly a SRV record _rubygems._tcp under the | ||
original requested domain. | ||
|
||
For example, this is the one that users who use rubygems.org see: | ||
|
||
> dig _rubygems._tcp.rubygems.org SRV | ||
|
||
;; ANSWER SECTION: | ||
_rubygems._tcp.rubygems.org. 600 IN SRV 0 1 80 api.rubygems.org. | ||
|
||
RubyGems did not validate the hostname returned in the SRV record before | ||
sending requests to it. | ||
|
||
This left clients open to a DNS hijack attack, whereby an attacker could | ||
return a SRV of their choosing and get the client to use it. For example: | ||
|
||
> dig _rubygems._tcp.rubygems.org SRV | ||
|
||
;; ANSWER SECTION: | ||
_rubygems._tcp.rubygems.org. 600 IN SRV 0 1 80 gems.nottobetrusted.wtf | ||
|
||
The fix, detailed at https://github.com/rubygems/rubygems/commit/6bbee35, | ||
shows that we validate the record now to be under the original domain. This | ||
restricts the client to be using the original trust/security domain as they | ||
would have otherwise. | ||
|
||
RubyGems versions between 2.0 and 2.4.5 are vulnerable. | ||
|
||
RubyGems version 2.0.16, 2.2.4, and 2.4.6 have been released that fix this | ||
issue. | ||
|
||
Ruby versions 1.9.0 through 2.2.0 are vulnerable as they contain embedded | ||
versions of RubyGems. | ||
|
||
This vulnerability was reported by Jonathan Claudius <JClaudius@trustwave.com>. | ||
|