FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rubygems -- request hijacking vulnerability

Affected packages
ruby20-gems < 2.4.7
ruby21-gems < 2.4.7
ruby22-gems < 2.4.7

Details

VuXML ID a0089e18-fc9e-11e4-bc58-001e67150279
Discovery 2015-05-14
Entry 2015-05-17

Jonathan Claudius reports:

RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record _rubygems._tcp under the original requested domain.

RubyGems did not validate the hostname returned in the SRV record before sending requests to it. This left clients open to a DNS hijack attack, whereby an attacker could return a SRV of their choosing and get the client to use it.

References

CVE Name CVE-2015-3900
FreeBSD PR ports/200264
URL http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html