#VU11648 Improper verification of cryptographic signature in Ruby - CVE-2018-1000076

Cybersecurity Help s.r.o.

Published: 2018-04-10

Vulnerability identifier: #VU11648

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-1000076

CWE-ID: CWE-347

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ruby
Universal components / Libraries / Scripting languages

Vendor: Ruby

Description
The vulnerability allows a remote attacker to write arbitrary files on the target system.

The weakness exists in package.rb due to improper verification of cryptographic signature. A remote attacker can install mis-signed gem, as the tarball would contain multiple gem signatures.

Mitigation
Update to version 2.7.6.

Vulnerable software versions

Ruby: 2.2.0 - 2.5.0

External links
https://blog.rubygems.org/2018/02/15/2.7.6-released.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell EMC Data Protection Search

Multiple vulnerabilities in Dell EMC Integrated Data Protection Appliance

Red Hat Enterprise Linux 7.6 update for ruby

Red Hat Enterprise Linux Server 7.4 update for ruby

Red Hat update for ruby

OpenSUSE Linux update for ruby-bundled-gems-rpmhelper, ruby2.5

Red Hat update for ruby