A critical vulnerability (CVE-2022-29176) has been identified in the RubyGems.org package repository that allows, without proper authority, to replace some other people's packages in the repository by initiating a yank of a legitimate package and loading another file with the same name and version number instead.
To successfully exploit a vulnerability, three conditions must be met:
- The attack can only be carried out on packages that have a hyphen character in their name.
- An attacker must be able to place a gem package with part of the name up to the hyphen character. For example, if the attack is against the "rails-html-sanitizer" package, the attacker must place their own "rails-html" package in the repository.
- The package being attacked must have been created in the last 30 days or not updated for 100 days.
The vulnerability is caused by an error in the βyankβ action handler, which treats the part of the name after the hyphen as the name of the platform, which made it possible to initiate the removal of foreign packages that match in the part of the name up to the hyphen character. In particular, 'find_by!(full_name: "#{rubygem.name}-#{slug}")' was used in the "yank" operation handler code to find packages, while the "slug" parameter was passed by the package owner to determine version to be removed. The owner of the "rails-html" package could have specified "sanitizer-1.2.3" instead of version "1.2.3", which would cause the operation to be applied to someone else's "rails-html-sanitizer-1.2.3" package.
The issue was identified by a security researcher as part of HackerOne's bounty program for finding security issues in known open source projects. The problem was fixed in RubyGems.org on May 5, and according to the developers, they have not yet identified traces of exploitation of the vulnerability in the logs over the past 18 months. At the same time, only a superficial audit has been carried out so far, and a deeper audit is planned in the future.
To check your projects, it is recommended to analyze the history of operations in the Gemfile.lock file. Malicious activity is expressed in the presence of changes with the same name and version, or a platform change (for example, when the gemname-1.2.3 package is updated to gemname-1.2.3-java). As a workaround against hidden package spoofing in continuous integration systems or when publishing projects, developers are encouraged to use Bundler with the "--frozen" or "--deployment" options to commit dependencies.
Source: opennet.ru