forked from rubygems/rubygems
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2015-3900.txt
40 lines (26 loc) · 1.43 KB
/
CVE-2015-3900.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
= Request hijacking vulnerability in RubyGems 2.4.6 and earlier
RubyGems provides the ability of a domain to direct clients to a separate
host that is used to fetch gems and make API calls against. This mechanism
is implemented via DNS, specificly a SRV record _rubygems._tcp under the
original requested domain.
For example, this is the one that users who use rubygems.org see:
> dig _rubygems._tcp.rubygems.org SRV
;; ANSWER SECTION:
_rubygems._tcp.rubygems.org. 600 IN SRV 0 1 80 api.rubygems.org.
RubyGems did not validate the hostname returned in the SRV record before
sending requests to it.
This left clients open to a DNS hijack attack, whereby an attacker could
return a SRV of their choosing and get the client to use it. For example:
> dig _rubygems._tcp.rubygems.org SRV
;; ANSWER SECTION:
_rubygems._tcp.rubygems.org. 600 IN SRV 0 1 80 gems.nottobetrusted.wtf
The fix, detailed at https://github.com/rubygems/rubygems/commit/6bbee35,
shows that we validate the record now to be under the original domain. This
restricts the client to be using the original trust/security domain as they
would have otherwise.
RubyGems versions between 2.0 and 2.4.6 are vulnerable.
RubyGems version 2.0.16, 2.2.4, and 2.4.7 have been released that fix this
issue.
Ruby versions 1.9.0 through 2.2.0 are vulnerable as they contain embedded
versions of RubyGems.
This vulnerability was reported by Jonathan Claudius <[email protected]>.