Earlier today the Rails team pushed new versions to patch three security vulnerabilities:

  1. CVE-2019-5418: Action view file content disclosure
  2. CVE-2019-5419: Action view Denial of Service (DOS)
  3. CVE-2019-5420: Rails development mode Remote code execution (RCE)

I’ve addressed them below in order of severity.

Note: the rails upgrade guide is a great resource for upgrading your rails app.

Action View Denial of Service (DOS) 🚨 🚨 🚨 🚨 🚨 🔥

Severity: Five alarm fire. Patch immediately.

If you’re rendering tempates, you’re almost definitely subject to a DOS attack. This one is really bad. Patch/upgrade immediately.

Using specially crafted headers you can max out the CPU by exploiting the template location code. Rendering templates wrapped in a respond_to block is safe. Otherwise, you’re vulnerable.

Vulnerable:

class UserController < ApplicationController 
  def index 
    render "index" 
  end 
end

Not vulnerable:

class UserController < ApplicationController 
  def index 
    respond_to |format| 
      format.html { render "index" } 
    end 
  end 
end 

Read more

Action View File Content Disclosure 🚨 🚨 🚨 🚨 🚨 🔥

Severity: Five alarm fire. Patch immediately.

By using specially crafted headers, you can view an arbitrary file’s content with if you use render file: 'filename'. Not good.

The good news: if you’re just rendering normal templates, you’re not affected by this vulnerability, though you’re probably affected by the CVE-2019-5419.

Read more

Rails development mode RCE 🚨

Severity: Not good, but go back to sleep. Fix it in the morning.

Due to how rails generates the secret_key_base in development mode — an MD5 of the app module name — if you know the name of the application, you can figure out the secret key. As long as you don’t have dev mode apps exposed to the public, this isn’t a huge deal, though is still something worth fixing.

Read more