Bug 1236116 (CVE-2015-3900) - CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint()
Summary: CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3900
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1236117 1251465 1251466
Blocks: 1237100
TreeView+ depends on / blocked
 
Reported: 2015-06-26 15:03 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:10 UTC (History)
45 users (show)

Fixed In Version: rubygems 2.0.16, rubygems 2.2.4, rubygems 2.4.7
Doc Type: Bug Fix
Doc Text:
A flaw was found in a way rubygems verified the API endpoint hostname retrieved through a DNS SRV record. A man-in-the-middle attacker could use this flaw to force a client to download content from an untrusted domain.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:42:03 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1657 0 normal SHIPPED_LIVE Important: rh-ruby22-ruby security update 2015-08-24 18:16:27 UTC

Description Vasyl Kaigorodov 2015-06-26 15:03:50 UTC
RubyGems before versions 2.0.16, 2.2.4 and 2.4.7 did not verify the API endpoint hostname retrieved through an SRV record.
This left clients open to a DNS hijack attack, whereby an attacker could return a SRV of their choosing and get the client to use it.

Upstream patch: https://github.com/rubygems/rubygems/commit/6bbee35

External References:

http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html

Statement:

This issue did not affect the versions of rubygems as shipped with Red Hat Enterprise Linux 6, Red Hat Enterprise MRG 2.5, Red Hat Satellite 6, Red Hat Openstack 5, Red Hat Openshift Enterprise 2 as they did not include support for getting API endpoint using SRV DNS records.

This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for getting API endpoint using SRV DNS records. The issue did not affect version of ruby as shipped with Red Hat Enterprise Linux 7, as the support for getting API endpoint using SRV DNS records is included, but inactive.

This issue did not affect the versions of ruby193-ruby as shipped with Red Hat Subscription Asset Manager and Red Hat Software Collections as they did not include support for getting API endpoint using SRV DNS records.

The issue did not affect version of ruby200-ruby as shipped with Red Hat Software Collections, as the support for getting API endpoint using SRV DNS records is included, but inactive.

Comment 1 Vasyl Kaigorodov 2015-06-26 15:05:16 UTC
Created rubygems tracking bugs for this issue:

Affects: fedora-all [bug 1236117]

Comment 2 Tomas Hoger 2015-06-26 16:26:01 UTC
(In reply to Vasyl Kaigorodov from comment #0)
> Upstream patch: https://github.com/rubygems/rubygems/commit/6bbee35

That patch is incorrect / incomplete, as noted in comments for it.  This additional commit improves the original fix:

https://github.com/rubygems/rubygems/commit/5c7bfb5

Comment 3 Vasyl Kaigorodov 2015-06-30 15:14:30 UTC
So, for sake of sanity.
Original upstream patch got CVE-2015-3900 assigned:
https://github.com/rubygems/rubygems/commit/6bbee35

Later it was found that the original patch introduces another vulnerability, which got CVE-2015-4020:
https://github.com/rubygems/rubygems/commit/5c7bfb5

Comment 4 Ján Rusnačko 2015-08-04 15:07:53 UTC
Analysis (from http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html):

"""
RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record _rubygems._tcp under the original requested domain.

  > dig _rubygems._tcp.rubygems.org SRV

  ;; ANSWER SECTION:
  _rubygems._tcp.rubygems.org. 600 IN	SRV	0 1 80 api.rubygems.org.

RubyGems did not validate the hostname returned in the SRV record before sending requests to it.

This left clients open to a DNS hijack attack, whereby an attacker could return a SRV of their choosing and get the client to use it. For example:  

  > dig _rubygems._tcp.rubygems.org SRV

  ;; ANSWER SECTION:
  _rubygems._tcp.rubygems.org. 600 IN	SRV	0 1 80 gems.nottobetrusted.wtf
"""

Fix for this issue verifies that the returned host is on the same domain as the requested domain. This fix included:

    if /#{host}\z/ =~ target

which is incomplete, because suffix match is sufficient, e.g. if the domain requested was rubygems.org, attacker served record of attackersrubygems.org would pass this check (CVE-2015-4020). The complete fix for both now includes:

    if /\.#{Regexp.quote(host)}\z/ =~ target


Rubygems code is also bundled into ruby. The vulnerable code (function api_endpoint in lib/rubygems/remote_fetcher.rb) is present in ruby-2.0 and above.

This code is invoked like this:

lib/rubygems/resolver/best_set.rb BestSet#pick_sets() cals
lib/rubygems/source.rb Source#dependency_resolver_set() calls 
lib/rubygems/source.rb Source#api_uri() calls 
lib/rubygems/remote_fetcher.rb RemoteFetcher#api_endpoint()

However, code that invokes vulnerable function was not added to ruby before 2.1.0, hence versions of ruby below 2.1 are not affected by this vulnerability, as the vulnerable code is included but never called.

Comment 5 Tomas Hoger 2015-08-05 20:37:22 UTC
The incomplete fix issue CVE-2015-4020 is tracked via bug 1250109.

Trustwave SpiderLabs (original reporter) security advisory for this issue:

https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356

Trustwave SpiderLabs blog post for CVE-2015-3900 and CVE-2015-4020:

https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/

Comment 7 Fedora Update System 2015-08-10 10:06:21 UTC
rubygems-2.4.8-100.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2015-08-11 02:06:51 UTC
rubygems-2.4.8-100.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2015-08-19 08:17:08 UTC
rubygems-2.2.5-100.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 errata-xmlrpc 2015-08-24 14:16:51 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1657 https://rhn.redhat.com/errata/RHSA-2015-1657.html


Note You need to log in before you can comment on or make changes to this bug.