Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
A Ruby gem is a standard packaging format used for Ruby libraries and applications. This packaging format allows Ruby software developers a clearly defined format in which they can reliably build and distribute software. Developers push Ruby gems to a distribution server (aka: a gem server) where users can then install the Ruby application using "gem install gem_name".
In a recent presentation, "Trojaned Gems: You can't tell you're using one" at THOTCON 0x6, we (Brandon Myers and Jonathan Claudius) shared some of our research looking at the security of the Ruby gem ecosystem. The original goal of the research was to improve our own Ruby gem security, but we felt what we discovered was worth sharing to help better protect others.
Summary of our Ruby Gem research
How many are affected by this vulnerability?
We recently collaborated with Anthony Kasza, a security researcher at OpenDNS, to help understand the number of Ruby gem installations that are potentially affected by this vulnerability.
Anthony was able to confirm that OpenDNS sees roughly 24,000 requests per day for the DNS SRV record in question (inferring 24,000 gem installations per day if we discount local system caches, gem dependencies, and gem installation typos). Given that OpenDNS sees about two percent of the world's Internet traffic—assuming each region of the world has the same likelihood of installing gem packages—that's a possible 1.2 million gem installations per day across the entire Internet (or 438 million gem installs per year) that could be affected.
We've also deployed signatures to detect this vulnerability with our managed IDS/IPS service and have monitored for exploitation attempts for some time. Thankfully, at the time of this writing, we've yet to see any "in-the-wild" exploitation attempts outside of our research lab, which is great news. However, we believe it to be only a matter of time before criminals get wise to this attack vector and make use of it, so we recommend that everyone deploy detections now. For more information on Trustwave IDS/IPS solutions, see here. For existing Trustwave IDS/IPS customers, the signature name is "RubyGems DNS hijack attempt detected (CVE-2015-3900)".
What should you do?
Slides, Advisories, and Demonstration Material
Here are the slides that we delivered at THOTCON 0x6 for your viewing pleasure:
Here are the three demonstration videos we covered during the presentation:
Credits
We'd like to thank following for their contributions to this research effort:
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.