Your regular news about ruby security
The Ruby Security newsletter

Published on 2013/02/18. This weekly report contains this week's vulnerabilities, new ones that were published since the last report, along with some more security tips.
Please subscribe to get more Ruby security news, if you got this report via the archive link.


Vulnerabilities

Some of these vulnerabilities are rather old, but were just assigned a CVE. You should check anyway if they are up to date in your system.

Omniauth-OAuth2

CSRF

Vulnerable versions: < 1.1.1
Fix: update to 1.1.1
CVE: CVE-2012-6134
Reported by Egor Homakov in September 2012

By manipulating the "state" parameter, an attacker could make an authorization request on behalf of another user.

PoC available

Newrelic-rpm


Information disclosure

Vulnerable versions: 3.2.0 to 3.5.2
Fix: update to 3.5.3.25 or later (most recent version: 3.5.5.38)
CVE: CVE-2013-0284
Reported on December 6th 2012

The NewRelic Ruby agent transmitted the SQL statements, the database server's IP, and the database username and password to NewRelic's servers. This data was not used by their servers. Their Ruby agent uses marshaling to transmit objects on the network, and one of the objects they marshalled had a reference to this private data.


Nori


Parameter parsing remote code execution and denial of service

Vulnerable versions: ALL VERSIONS
Fix: update to 1.0.3, 1.1.4, 2.0.2
CVE: CVE-2013-0285
Fixed on 2013/01/09

The nori gem, a XML to Hash translator, supported the symbol and YAML types, and so had the same vulnerability as ActionPack (CVE-2013-0156, see the January report for more information).

Spree

Vulnerable versions: 1.0.*, 1.1.*, 1.2.*, 1.3.*
Fix:
  • update to 1.0.7, 1.1.5, 1.2.4, 1.3.2
  • Workaround: patch for 1.2 https://gist.github.com/huoxito/4720074
Both vulnerabilities were reported by Egor Homakov

Authentication bypass

An attacker can impersonate another user by manipulating the API key. This is another application of the flaw found by joernchen

Denial of service

By crafting an URL, an attacker could trigger the creation of symbols in the servers to fill the memory (because symbols are not garbage collected) and trigger a denial of service.

Rails

A lot of projects depend on Rails and its libraries. If you use a CMS (like Refinery or Redmine) or an e-commerce solution (like Spree), please check that you updated the Rails version they depend on. Same thing for the json gem, that should be updated in every project.

Unsafe typecasting

The MySQL typecasting bug found by joernchen was fixed in Rails 3.0.21, 3.1.11, 3.2.12. Please update to those versions if you have not done it already. SQLite, PostgreSQL, Oracle are not affected, but MySQL, SQL Server and some configurations of DB2 are.

Multi_XML

Vulnerable versions: ALL VERSIONS
Fix: update to 0.5.2
CVE: CVE-2013-0175
Fixed on 2013/01/11
Workaround: gist

The multi_xml gem is vulnerable to the same typed XML flaw as Rails, which can lead to remote code execution. Please update as soon as possible.

Debian

Nginx

Vulnerable versions: ALL VERSIONS
CVE: CVE-2012-4929
Fix: update to 0.7.67-3+squeeze3 for squeeze and to 1.1.16-1 for wheezy and sid
A flaw was found in the TLS protocol which allows for information leaks (eg: decrypting cookies) if TLS compression is enabled. This nginx update disables compression.


Lighttpd

Vulnerable versions: ALL VERSIONS
CVE: CVE-2009-3555 and CVE-2012-4929
Fix: update to 1.4.28-2+squeeze1.2 for squeeze and 1.4.30-1 for wheezy and sid

Multiple vulnerabilities were found in the TLS protocol. In CVE-2009-3555, the renegotation feature of TLS (server and client negotiating which protocol version to use) can be abused to inject data into the transmission. In CVE-2012-4929, it was found that TLS compression allows for information leaks (eg: decrypting cookies).


Weekly tips

Brakeman

Use the Brakeman gem to check the security of your application.


Cookie security

Cookies can contain two useful flags for security:
  • HttpOnly makes the cookie accessible only to the server web. That means that Javascript code on the client side will not be able to read the cookie's content
  • Secure makes the cookie specific to HTTPS connections. If an attacker forces the user to send data over an unencrypted connection, the cookie will not be sent
To activate these flags, create your cookies like this:
cookies[:key] = {
  :value => 'content',
  :expires => 1.month.from_now,
  :domain => 'example.com',
  :httponly => true,
  :secure => true
}

Deactivate the default parser in Rails

The YAML vulnerability is (hopefully, for now) fixed, but you are not protected from a new vulnerability in the default parsers. If you don't mind parsing your JSON or XML yourself, use the following line in your code:

ActionDispatch::ParamsParser::DEFAULT_PARSERS={}

For Rails 2.x:

ActionController::Base.param_parsers ={}


Monitoring

Staying up to date on the recent vulnerabilities and patching often is good security hygiene, but would you know if someone was attacking your service? Getting notified quickly is fundamental for a rapid security response. Here are some services that could help you:
  • Pingdom and Webmon will notify you in case of performance or availability problems
  • Airbrake and Honeybadger will track exceptions for you
  • Logentries and Papertrail aggregate logs for you, and provide a nice interface to explore them
  • PagerDuty integrates with your monitoring system to notify the right person (on call) by e-mail and SMS right away

Deploy SSL correctly

Do you use SSL on your server? Good for you! Did you use the default configuration? That's a bad idea! There is a list of recommandations to improve the security of your SSL server, provided by Qualys, with a nice automated SSL security test. Check it out, it is a pretty cool tool! Don't hesitate to contact me if you need help to configure SSL.