alphaspirit - Fotolia
Security researchers this week discovered a major DNS vulnerability in software packaging manager RubyGems.
Designed for packages coded in the programming language Ruby, RubyGems uses package files called gems that are customarily taken off the rubygems.org developer site. A gem is a packaged version of software (.gem), such as the Linux RPM (.rpm) or .deb packages. The site holds open source gems, but when the DNS vulnerability in the RubyGems client is exploited, attackers can redirect a RubyGem client to a different gem server that's controlled by the attacker and execute a man-in-the-middle (MitM) attack.
Jonathan Claudius and Brandon Myers, researchers with the vulnerability management company Trustwave Holdings, discovered the vulnerability during attempts to improve their own gem security.
"A successful exploit of this vulnerability would allow remote code execution on the person trying to use the client software," Claudius said. "When you go to update your software, you're updating that specific package software. You get updates to those software packages through RubyGems. In this particular case, the issue is actually with the client. You have to use the client to get your update to update the client. You're updating your updater."
Trustwave's SpiderLabs, the research unit Claudius and Myers are part of, worked with Anthony Kasza, a researcher at OpenDNS, the world's largest domain name service provider, to figure out how many people were affected by the vulnerability. OpenDNS ran tests showing that about 24,000 requests were made for the DNS SRV used in finding a gem server.
"To measure the number of potential Ruby gem installations, we gathered DNS query information from the OpenDNS Global Network," Kasza told SearchSecurity in an email. The network includes resolvers in Amsterdam, Ashburn, Berlin, Paris, Chicago, Copenhagen, Dallas, Frankfurt, Hong Kong, Johannesburg, Los Angeles, London, Miami, Tokyo, New York, Bucharest, Palo Alto, Prague, Seattle, Singapore, Sydney, Warsaw, Vancouver and Toronto.
OpenDNS sees two percent of world Internet traffic, according to Claudius, meaning that there's a possible 1.2 million gem installations per day across the Internet (assuming each region is equally likely to install gems).
"Internet access is unevenly distributed around the world," according to Kasza, "and we based these numbers on an estimate that Ruby gem downloads are skewed in a similar way."
Trustwave recommended upgrading RubyGem clients to version 2.4.8 or higher to avoid the DNS vulnerability. Claudius explained that a solid intrusion detection system and proper gem signing are important guards against such attacks. Gem signing is a cryptographic signature attached to the software in order for the end-user to verify that the gem was produced by the software provider and not some in-between actor.
"A developer can choose to sign gems," Claudius explained, "but it doesn't necessarily require a user to care about whether a gem is signed."
Regardless, the top ten most downloaded gems on rubygems.com are not signed.
"With the RubyGems architecture, there's not a clearly defined trust authority that you see with SSL," Claudius said. "In that particular case, the user has to explicitly trust specific publishers."
Developers at Square have been working on establishing secure package management for RubyGems via The Update Framework (TUF), a plug-and-play library for securing software updaters. According to Tony Arcieri, senior information security engineer at Square, the team is looking to make TUF the definite trust authority for gems, although the work has been "a bit stalled."
And while the number of DNS queries has not changed drastically since the disclosure of the vulnerability last week, Kasza said that such a result was not a surprise. "Developers are still going to develop," he said. "The important takeaway here is that security measures should be in place, transparent, and enabled by default so that developers can do their jobs safely without worrying about the integrity of the software they use."
Find out how the 'Redirect to SMB' vulnerability affect Microsoft Windows