Bug 1250109 - (CVE-2015-4020) CVE-2015-4020 rubygems: incomplete fix for CVE-2015-3900
CVE-2015-4020 rubygems: incomplete fix for CVE-2015-3900
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20150518,repo...
: Security
Depends On:
Blocks: 1237100
  Show dependency treegraph
 
Reported: 2015-08-04 10:22 EDT by Ján Rusnačko
Modified: 2015-08-19 04:42 EDT (History)
5 users (show)

See Also:
Fixed In Version: rubygems 2.0.17, rubygems 2.2.5, rubygems 2.4.8
Doc Type: Bug Fix
Doc Text:
A flaw was found in a way rubygems verified the API endpoint hostname retrieved through a DNS SRV record. A man-in-the-middle attacker could use this flaw to force a client to download content from an untrusted domain.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-04 10:27:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ján Rusnačko 2015-08-04 10:22:03 EDT
RubyGems before versions 2.0.16, 2.2.4 and 2.4.7 did not verify the API endpoint hostname retrieved through an SRV record (CVE-2015-3900). Fix for this flaw was found incomplete, as it was still possible for an attacker to bypass the hostname restriction.

Incomplete fix for CVE-2015-3900:
https://github.com/rubygems/rubygems/commit/6bbee35

Upstream fix for CVE-2015-4020:
https://github.com/rubygems/rubygems/commit/5c7bfb5

Statement:

This issue did not affect the versions of rubygems as shipped with Red Hat Enterprise Linux 6, Red Hat Enterprise MRG 2.5, Red Hat Satellite 6, Red Hat Openstack 5, Red Hat Openshift Enterprise 2, as the packages did not include the incomplete fix.

This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5, 6 and 7, Red Hat Subscription Asset Manager and Red Hat Software Collections, as the packages did not include the incomplete fix.
Comment 1 Ján Rusnačko 2015-08-04 11:08:28 EDT
Analysis (from http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html):

"""
RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record _rubygems._tcp under the original requested domain.

  > dig _rubygems._tcp.rubygems.org SRV

  ;; ANSWER SECTION:
  _rubygems._tcp.rubygems.org. 600 IN	SRV	0 1 80 api.rubygems.org.

RubyGems did not validate the hostname returned in the SRV record before sending requests to it.

This left clients open to a DNS hijack attack, whereby an attacker could return a SRV of their choosing and get the client to use it. For example:  

  > dig _rubygems._tcp.rubygems.org SRV

  ;; ANSWER SECTION:
  _rubygems._tcp.rubygems.org. 600 IN	SRV	0 1 80 gems.nottobetrusted.wtf
"""

Fix for this issue verifies that the returned host is on the same domain as the requested domain. This fix included:

    if /#{host}\z/ =~ target

which is incomplete, because suffix match is sufficient, e.g. if the domain requested was rubygems.org, attacker served record of attackersrubygems.org would pass this check (CVE-2015-4020). The complete fix for both now includes:

    if /\.#{Regexp.quote(host)}\z/ =~ target
Comment 2 Tomas Hoger 2015-08-05 16:35:48 EDT
The additional fix for CVE-2015-4020 was only applied in rubygems versions 2.0.17, 2.2.5, and 2.4.8.

The original CVE-2015-3900 issue is tracked via bug 1236116.

Trustwave SpiderLabs (original reporter) security advisory for this issue:

https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478

Trustwave SpiderLabs blog post for CVE-2015-3900 and CVE-2015-4020:

https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/

Note You need to log in before you can comment on or make changes to this bug.