ID CVE-2015-3900
Summary RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
References
Vulnerable Configurations
  • ruby-lang Ruby 1.9
    cpe:2.3:a:ruby-lang:ruby:1.9
  • ruby-lang Ruby 1.9.1
    cpe:2.3:a:ruby-lang:ruby:1.9.1
  • ruby-lang Ruby 1.9.2
    cpe:2.3:a:ruby-lang:ruby:1.9.2
  • ruby-lang Ruby 1.9.3
    cpe:2.3:a:ruby-lang:ruby:1.9.3
  • Ruby-lang Ruby 2.0.0
    cpe:2.3:a:ruby-lang:ruby:2.0.0
  • ruby-lang Ruby 2.1
    cpe:2.3:a:ruby-lang:ruby:2.1
  • ruby-lang Ruby 2.1.1
    cpe:2.3:a:ruby-lang:ruby:2.1.1
  • Ruby-lang Ruby 2.1.2
    cpe:2.3:a:ruby-lang:ruby:2.1.2
  • Ruby-lang Ruby 2.1.3
    cpe:2.3:a:ruby-lang:ruby:2.1.3
  • Ruby-lang Ruby 2.1.4
    cpe:2.3:a:ruby-lang:ruby:2.1.4
  • ruby-lang Ruby 2.1.5
    cpe:2.3:a:ruby-lang:ruby:2.1.5
  • ruby-lang Ruby 2.2.0
    cpe:2.3:a:ruby-lang:ruby:2.2.0
  • cpe:2.3:a:rubygems:rubygems:2.0.0
    cpe:2.3:a:rubygems:rubygems:2.0.0
  • cpe:2.3:a:rubygems:rubygems:2.0.1
    cpe:2.3:a:rubygems:rubygems:2.0.1
  • cpe:2.3:a:rubygems:rubygems:2.0.2
    cpe:2.3:a:rubygems:rubygems:2.0.2
  • cpe:2.3:a:rubygems:rubygems:2.0.3
    cpe:2.3:a:rubygems:rubygems:2.0.3
  • cpe:2.3:a:rubygems:rubygems:2.0.4
    cpe:2.3:a:rubygems:rubygems:2.0.4
  • cpe:2.3:a:rubygems:rubygems:2.0.5
    cpe:2.3:a:rubygems:rubygems:2.0.5
  • cpe:2.3:a:rubygems:rubygems:2.0.6
    cpe:2.3:a:rubygems:rubygems:2.0.6
  • cpe:2.3:a:rubygems:rubygems:2.0.7
    cpe:2.3:a:rubygems:rubygems:2.0.7
  • cpe:2.3:a:rubygems:rubygems:2.0.8
    cpe:2.3:a:rubygems:rubygems:2.0.8
  • cpe:2.3:a:rubygems:rubygems:2.0.9
    cpe:2.3:a:rubygems:rubygems:2.0.9
  • cpe:2.3:a:rubygems:rubygems:2.0.10
    cpe:2.3:a:rubygems:rubygems:2.0.10
  • cpe:2.3:a:rubygems:rubygems:2.0.11
    cpe:2.3:a:rubygems:rubygems:2.0.11
  • cpe:2.3:a:rubygems:rubygems:2.0.12
    cpe:2.3:a:rubygems:rubygems:2.0.12
  • RubyGems RubyGems 2.0.13
    cpe:2.3:a:rubygems:rubygems:2.0.13
  • RubyGems RubyGems 2.0.14
    cpe:2.3:a:rubygems:rubygems:2.0.14
  • RubyGems RubyGems 2.0.15
    cpe:2.3:a:rubygems:rubygems:2.0.15
  • RubyGems RubyGems 2.2.0
    cpe:2.3:a:rubygems:rubygems:2.2.0
  • RubyGems RubyGems 2.2.1
    cpe:2.3:a:rubygems:rubygems:2.2.1
  • RubyGems RubyGems 2.2.2
    cpe:2.3:a:rubygems:rubygems:2.2.2
  • RubyGems RubyGems 2.2.3
    cpe:2.3:a:rubygems:rubygems:2.2.3
  • RubyGems RubyGems 2.4.0
    cpe:2.3:a:rubygems:rubygems:2.4.0
  • RubyGems RubyGems 2.4.1
    cpe:2.3:a:rubygems:rubygems:2.4.1
  • RubyGems RubyGems 2.4.2
    cpe:2.3:a:rubygems:rubygems:2.4.2
  • RubyGems RubyGems 2.4.3
    cpe:2.3:a:rubygems:rubygems:2.4.3
  • RubyGems RubyGems 2.4.4
    cpe:2.3:a:rubygems:rubygems:2.4.4
  • RubyGems RubyGems 2.4.5
    cpe:2.3:a:rubygems:rubygems:2.4.5
  • RubyGems RubyGems 2.4.6
    cpe:2.3:a:rubygems:rubygems:2.4.6
  • Oracle Solaris 11.3
    cpe:2.3:o:oracle:solaris:11.3
  • Red Hat Enterprise Linux 6
    cpe:2.3:o:redhat:enterprise_linux:6
  • Red Hat Enterprise Linux (RHEL) 7.0 (7)
    cpe:2.3:o:redhat:enterprise_linux:7.0
CVSS
Base: 5.0 (as of 19-10-2016 - 13:04)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_A0089E18FC9E11E4BC58001E67150279.NASL
    description Jonathan Claudius reports : RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specifically a SRV record _rubygems._tcp under the original requested domain. RubyGems did not validate the hostname returned in the SRV record before sending requests to it. This left clients open to a DNS hijack attack, whereby an attacker could return a SRV of their choosing and get the client to use it.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 83513
    published 2015-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83513
    title FreeBSD : rubygems -- request hijacking vulnerability (a0089e18-fc9e-11e4-bc58-001e67150279)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-12501.NASL
    description Update to RubyGems 2.4.8. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 85309
    published 2015-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85309
    title Fedora 23 : rubygems-2.4.8-100.fc23 (2015-12501)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-549.NASL
    description RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record _rubygems._tcp under the original requested domain. RubyGems did not validate the hostname returned in the SRV record before sending requests to it. (CVE-2015-3900) As discussed upstream, CVE-2015-4020 is due to an incomplete fix for CVE-2015-3900 , which allowed redirection to an arbitrary gem server in any security domain.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 84250
    published 2015-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84250
    title Amazon Linux AMI : ruby22 (ALAS-2015-549)
  • NASL family CGI abuses
    NASL id PUPPET_ENTERPRISE_CVE_2015-4100.NASL
    description According to its self-reported version number, the Puppet Enterprise application running on the remote host is version 3.7.x or 3.8.x prior to 3.8.1. It it, therefore, affected by the following vulnerabilities : - A flaw exists in RubyGems due to a failure to validate hostnames when fetching gems or making API requests. A remote attacker, using a crafted DNS SRV record, can exploit this to redirect requests to arbitrary domains. (CVE-2015-3900) - A flaw exists in RubyGems due to a failure to sanitize DNS responses, which allows a man-in-the-middle attacker to install arbitrary applications. (CVE-2015-4020) - A flaw exists in Puppet Enterprise related to how certificates are managed, under certain vulnerable configurations, which allows a trusted certificate to be used to perform full certificate management. An attacker can exploit this flaw to revoke the certificates of other nodes or to approve their certificate requests. (CVE-2015-4100) Note that the default 'monolithic', 'split', and 'multimaster' installations of Puppet Enterprise are not affected by CVE-2015-4100.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 84961
    published 2015-07-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84961
    title Puppet Enterprise 3.7.x < 3.8.1 / 3.8.x < 3.8.1 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1067-1.NASL
    description This ruby2.1 update to version 2.1.9 fixes the following issues: Security issues fixed : - CVE-2016-2339: heap overflow vulnerability in the Fiddle::Function.new'initialize' (bsc#1018808) - CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL (bsc#959495) - CVE-2015-3900: hostname validation does not work when fetching gems or making API requests (bsc#936032) - CVE-2015-1855: Ruby'a OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames (bsc#926974) - CVE-2014-4975: off-by-one stack-based buffer overflow in the encodes() function (bsc#887877) Bugfixes : - SUSEconnect doesn't handle domain wildcards in no_proxy environment variable properly (bsc#1014863) - Segmentation fault after pack & ioctl & unpack (bsc#909695) - Ruby:HTTP Header injection in 'net/http' (bsc#986630) ChangeLog : - http://svn.ruby-lang.org/repos/ruby/tags/v2_1_9/ChangeLog Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 99578
    published 2017-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99578
    title SUSE SLED12 / SLES12 Security Update : ruby2.1 (SUSE-SU-2017:1067-1)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1050.NASL
    description According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable heap overflow vulnerability exists in the Fiddle::Function.new 'initialize' function functionality of Ruby. In Fiddle::Function.new 'initialize' heap buffer 'arg_types' allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow.(CVE-2016-2339) - Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as 'retval' argument can cause arbitrary code execution.(CVE-2016-2337) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 99895
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99895
    title EulerOS 2.0 SP1 : ruby (EulerOS-SA-2017-1050)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-13157.NASL
    description Update to RubyGems 2.2.5. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 85553
    published 2015-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85553
    title Fedora 21 : rubygems-2.2.5-100.fc21 (2015-13157)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-527.NASL
    description This ruby2.1 update to version 2.1.9 fixes the following issues : Security issues fixed : - CVE-2016-2339: heap overflow vulnerability in the Fiddle::Function.new'initialize' (bsc#1018808) - CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL (bsc#959495) - CVE-2015-3900: hostname validation does not work when fetching gems or making API requests (bsc#936032) - CVE-2015-1855: Ruby'a OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames (bsc#926974) - CVE-2014-4975: off-by-one stack-based buffer overflow in the encodes() function (bsc#887877) Bugfixes : - SUSEconnect doesn't handle domain wildcards in no_proxy environment variable properly (bsc#1014863) - Segmentation fault after pack & ioctl & unpack (bsc#909695) - Ruby:HTTP Header injection in 'net/http' (bsc#986630) ChangeLog : - http://svn.ruby-lang.org/repos/ruby/tags/v2_1_9/ChangeLog This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 99753
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99753
    title openSUSE Security Update : ruby2.1 (openSUSE-2017-527)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-12574.NASL
    description Update to RubyGems 2.4.8. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 85312
    published 2015-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85312
    title Fedora 22 : rubygems-2.4.8-100.fc22 (2015-12574)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-548.NASL
    description RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record _rubygems._tcp under the original requested domain. RubyGems did not validate the hostname returned in the SRV record before sending requests to it. (CVE-2015-3900) As discussed upstream, CVE-2015-4020 is due to an incomplete fix for CVE-2015-3900 , which allowed redirection to an arbitrary gem server in any security domain.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 84249
    published 2015-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84249
    title Amazon Linux AMI : ruby21 (ALAS-2015-548)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1051.NASL
    description According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable heap overflow vulnerability exists in the Fiddle::Function.new 'initialize' function functionality of Ruby. In Fiddle::Function.new 'initialize' heap buffer 'arg_types' allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow.(CVE-2016-2339) - Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as 'retval' argument can cause arbitrary code execution.(CVE-2016-2337) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 99896
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99896
    title EulerOS 2.0 SP2 : ruby (EulerOS-SA-2017-1051)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-547.NASL
    description RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record _rubygems._tcp under the original requested domain. RubyGems did not validate the hostname returned in the SRV record before sending requests to it. (CVE-2015-3900) As discussed upstream, CVE-2015-4020 is due to an incomplete fix for CVE-2015-3900 , which allowed redirection to an arbitrary gem server in any security domain.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 84248
    published 2015-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84248
    title Amazon Linux AMI : ruby20 (ALAS-2015-547)
redhat via4
advisories
rhsa
id RHSA-2015:1657
refmap via4
bid 75482
confirm
fedora
  • FEDORA-2015-12501
  • FEDORA-2015-12574
  • FEDORA-2015-13157
misc
mlist [oss-security] 20150626 rubygems <2.4.8 vulnerable to DNS request hijacking (CVE-2015-3900 and CVE-2015-4020)
Last major update 23-12-2016 - 21:59
Published 24-06-2015 - 10:59
Last modified 08-12-2017 - 21:29
Back to Top