Cross-posted from the ShareSecret blog.
Earlier today the Rails team pushed new versions to patch three security vulnerabilities:
- CVE-2019-5418: Action view file content disclosure
- CVE-2019-5419: Action view Denial of Service (DOS)
- CVE-2019-5420: Rails development mode Remote code execution (RCE)
I’ve addressed the vulnerabilities below in order of severity.
Note: The rails upgrade guide is a great resource for upgrading your rails app.
🚨 🚨 🚨 🚨 🚨 🔥 Action View Denial of Service (DOS)
Alarm level: Five alarm fire. Patch immediately.
If you’re rendering tempates, you’re almost definitely subject to a DOS attack. This one is really bad. Patch/upgrade immediately.
Using specially crafted headers you can max out the CPU by exploiting the template location code. Rendering templates wrapped in a respond_to block is safe. Otherwise, you’re vulnerable.
Vulnerable:
class UserController < ApplicationController
def index
render "index"
end
end
Not vulnerable:
class UserController < ApplicationController
def index
respond_to |format|
format.html { render "index" }
end
end
end
🚨 🚨 🚨 🚨 🚨 🔥 Action View File Content Disclosure
Alarm level: Five alarm fire. Patch immediately.
By using specially crafted headers, you can view an arbitrary file’s content with if you use render file: 'filename'. Not good.
The good news: if you’re just rendering normal templates, you’re not affected by this vulnerability, though you’re probably affected by the CVE-2019-5419.
🚨 Rails development mode RCE
Alarm level: Not good, but go back to sleep. Fix it in the morning.
Due to how rails generates the secret_key_base in development mode — an MD5 of the app module name — if you know the name of the application, you can figure out the secret key. As long as you don’t have dev mode apps exposed to the public, this isn’t a huge deal, though is still something worth fixing.
☝️ Be sure to check out Sharesecret, which makes it easy to securely share sensitive data.
Top comments (5)
I think we need more breakdowns that use this type of "in your face. Here's how urgent this is" language for security patches. Not in place of the technical details, but preferably in addition to.
As someone that's involved with Rails to the extent of 'maybe I installed it at some point', this article was easy to follow. Great write-up!
Hey thanks, I appreciate it, and I agree! There are so many security updates, and it's easy to pass over them when you read the headline.
Rails development mode RCEis a bad one depending on your network layout. A development server can quickly become a pivot point to internal networks if the network is not well segmented.Yea, that's a great point. I'll update the post with a blurb about that.
Hey Thanks Alex for sorting out security issues that matter from the noise - will start following your posts!