Ruby on Rails Vulnerability Leads to Remote Command Execution on Servers

As always, the year is kicking off with a bang. This is a public service announcement to get the word out on a very serious vulnerability found, and patched, on the Ruby on Rails application. It’s estimated that there are some 250k + websites using the application so it’s important the word gets out.

On January 8th a very serious vulnerability was released for the Ruby on Rails application. A number of proof of concepts (PoC) on how to exploit, demonstrating the seriousness have been posted on several forums and blogs. One of the better ones is on Ronin blog. The issues comes down to the parameter parsing component of the application, it contains a weakness that allows an attacker to bypass authentication systems, inject and execute arbitrary code and perform denial of service (DoS) attacks on any Ruby application.

It’s important to note that this vulnerability has since been patched and it’s imperative that if you’re using the Ruby on Rails application you update immediately.

The one attack vector that stands out from the rest is the arbitrary injection and execution of code at the server level. This means that the threat goes beyond your application and has the potential to penetrate further into your infrastructure and / or impact any neighboring applications that may not be built on Ruby on Rails. Instead of drafting the reasons this is so serious I’ll reference another good post that articulates and summarizes the issue well, on Code Climate:

Threat Agents: Anyone who is able to make HTTPs request to your Rails application.
Exploitability: Easy — Proof of concepts in the wild require only the URL of the application to attack a Ruby code payload.
Prevalence: Widespread — All Rails versions prior to those released on Tuesday are vulnerable.
Detectability: Easy — No special knowledge of the application is required to test it for the vulnerability, making it simple to perform automated spray-and-pray scans.
Technical Impacts: Severe — Attackers can execute Ruby (and therefore shell) code at the privilege level of the application process, potentially leading to host takeover.
Business Impacts: Severe — All of your data could be stolen and your server resources could be used for malicious purposes. Consider the reputation damage from these impacts.