Ruby applications accept arbitrary SSL certificates
Security services provider iSEC has revealed a vulnerability in the Net::HTTPS module in the Ruby scripting language. Applications which use this module could be vulnerable to man-in-the-middle attacks. According to the security advisory, although the module does check whether a certificate is generally valid, it does not check the common name (CN), i.e. that the server name on the certificate matches the origin of the relevant page. An attacker could therefore use an arbitrary valid certificate issued by a public CA to infiltrate a connection using a MITM attack.
Apparently, the problem results from the connect method in the http.rb file failing to call the post_connection_check function after negotiating an SSL connection. The net::ftptls, net::telnets and net::imap modules, and the CVS versions of net::pop and net::smtp are also affected by this problem.
The bugs are present in all 1.8.x versions and in development version 1.9 prior to 23rd Sept. 2006. Updating to version 1.8.6 -p111 or 1.8.5-p114 (GZIP files) fixes the problem. The official security advisory on ruby-lang.org also recommends setting the option http.enable_post_connection_check = true to activate post connection checking. Red Hat has already released a package in which the bug has been fixed. This package also fixes a DoS vulnerability. Other Linux distributors are likely to follow suit shortly.
- Net::HTTPS Vulnerability, security advisory on ruby-language.org
- Ruby Net::HTTPS library does not validate server certificate CN, security advisory from iSEC Partners
- ruby security update, security advisory from Red Hat