Use Rails? Check yourself for the YAML exploit.

Anybody using Ruby on Rails has been sitting uneasy for the last few weeks, and with good reason. The most recent Rails vulnerabilities have been the worst ever, affecting both Rails and non-Rails websites. If you haven't been able to drudge through the extremely technical blog posts, or haven't had time to think about it: the Rails YAML vulnerability allows for hackers to gain arbitrary remote code execution - that is, gain full control of the entire server. Once one server's been fully compromised, it's not hard to own all the machines.

So what does it all mean? First, if you have this vulnerability it's pretty easy for somebody to point Metasploit at your site and gain control. Also, if you don't run Rails (or don't run a compromised version of Rails), you're still able to be affected by any of your service and JavaScript providers. If they're compromised, it would be easy to compromise the JS you're using through them, affecting your site with a Cross Site Scripting (XSS) vulnerability in the process.

Plenty of customers and friends of ours have requested a simple way to check their site for the Ruby YAML vulnerability, so now we have it! Feel free to test your site quickly and for free at https://www.tinfoilsecurity.com/railscheck. We determine this by sending a harmless request to your web server. The request doesn't do anything -- it is designed to be rejected with an error, much as if someone typed a URL incorrectly and requested a web page which doesn't exist. If your application is vulnerable, it will respond with a particular error code, whereas apps that are not vulnerable will not. This vulnerability allows attackers to execute code on your server, but we don't actually do this.

We're looking at one of two different ways to detect this vulnerability, which isn't 100% fool-proof. We'll have both forms of detection in our scanner real soon now, so I do recommend doing a full vulnerability check for free with our scanner. Also, this check is for websites using the Psych YAML Engine and not the older Syck. All of the proof of concepts we've seen so far are for Psych. That doesn't mean Syck isn't vulnerable, but that our checker will only work for Psych. In all likelihood, Syck is vulnerable too and you should upgrade your Rails all the same.

If you want to read more on the Rails YAML vulnerability, we highly recommend checking out Patrick McKenzie's blog post at: http://www.kalzumeus.com/2013/01/31/what-the-rails-security-issue-means-for-your-startup/

Please feel free to reach out at support@tinfoilsecurity.com or on our chat at http://www.tinfoilsecurity.com/chat if you or anybody you know needs help fixing this vulnerability. It's a large issue we want to help people avoid.


Ainsley Braun

Ainsley Braun is the co-founder and CEO of Tinfoil Security. She's consistently looking for interesting, innovative ways to improve the way security is currently implemented. She spends a lot of her time thinking about the usability and painpoints of security, and loves talking with Tinfoil's users. She also loves rowing and flying kites.

Tinfoil Security Blog

Tinfoil Security provides the simplest security solution. With Tinfoil Security, your site is routinely monitored and checked for vulnerabilities using a scanner that's constantly updated. Using the same techniques as malicious hackers, we systematically test all the access points, instantly notifying you when there's a threat and giving you step-by-step instructions, tailored to your software stack, to eliminate it. You have a lot to manage; let us manage your website's security.