Allele Security Alert
ASA-2019-00130
Identifier(s)
ASA-2019-00130, CVE-2019-5420
Title
Possible Remote Code Execution Exploit in Rails Development Mode
Vendor(s)
Ruby on Rails core team
Product(s)
Ruby on Rails
Affected version(s)
Ruby on Rails 6.0.0.X
Ruby on Rails 5.2.X
Fixed version(s)
Ruby on Rails 6.0.0.beta3
Ruby on Rails 5.2.2.1
Proof of concept
Yes
Description
With some knowledge of a target application it is possible for an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.
All users running an affected release should either upgrade or use one of the workarounds immediately.
This issue can be mitigated by specifying a secret key in development mode. In “config/environments/development.rb” add this:
config.secret_key_base = SecureRandom.hex(64)
Technical details
Unknown
Credits
ooooooo_q
Reference(s)
Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3 have been released!
https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
[CVE-2019-5420] Possible Remote Code Execution Exploit in Rails Development Mode
https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw
[CVE-2019-5420] Possible Remote Code Execution Exploit in Rails Development Mode
https://seclists.org/oss-sec/2019/q1/176
Zero Day Initiative – Remote Code Execution via Ruby on Rails Active Storage Insecure Deserialization
https://www.zerodayinitiative.com/blog/2019/6/20/remote-code-execution-via-ruby-on-rails-active-storage-insecure-deserialization
RCE which may occur due to `ActiveSupport::MessageVerifier` or `ActiveSupport::MessageEncryptor` (especially Active storage)
https://hackerone.com/reports/473888
CVE-2019–5420 and defence-in-depth
https://blog.pentesterlab.com/cve-2019-5420-and-defence-in-depth-b502a64a80dd
CVE-2019-5420
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5420
CVE-2019-5420
https://nvd.nist.gov/vuln/detail/CVE-2019-5420
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 20, 2019