GHSA-2V5C-755P-P4GV
Vulnerability from github – Published: 2020-07-31 17:40 – Updated: 2023-05-16 16:01The Faye::WebSocket::Client class uses the EM::Connection#start_tls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any wss: connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to.
This has been a requested feature in EventMachine for many years now; see for example #275, #378, and #814. In June 2020, em-http-request published an advisory related to this problem and fixed it by implementing TLS verification in their own codebase; although EventMachine does not implement certificate verification itself, it provides an extension point for the caller to implement it, called ssl_verify_peer. Based on this implementation, we have incorporated similar functionality into faye-websocket for Ruby, such that we use the OpenSSL module to perform two checks:
- The chain of certificates presented by the server is valid and ultimately trusted by your root certificate set -- either your system default root certificates, or a set provided at runtime
- The final certificate presented by the server is valid for the hostname used in the request URI; if the connection is made via a proxy we use the hostname from the request, not the proxy's hostname
After implementing verification in v1.1.6, em-http-request has elected to leave the :verify_peer option switched off by default. We have decided to enable this option by default in faye-websocket, but are publishing a minor release with added functionality for configuring it. We are mindful of the fact that this may break existing programs, but we consider it much more important that
all clients have TLS verification turned on by default. A client that is not carrying out verification is either:
- talking to the expected server, and will not break under this change
- being attacked, and would benefit from being alerted to this fact
- deliberately talking to a server that would be rejected by verification
The latter case includes situations like talking to a non-public server using a self-signed certificate. We consider this use case to be "working by accident", rather than functionality that was actively supported, and it should be properly and explicitly supported instead. To that end, we have added two new options to the Faye::WebSocket::Client constructor: tls.root_cert_file, and tls.verify_peer.
The :root_cert_file option lets you provide a different set of root certificates in situations where you don't want to use your system's default root certificates to verify the remote host. It should be a path or an array of paths identifying the certificates to use instead of the defaults.
client = Faye::WebSocket::Client.new('wss://example.com/', [], tls: {
root_cert_file: 'path/to/certificate.pem'
})
The :verify_peer option lets you turn verification off entirely. This should be a last resort and we recommend using the :root_cert_file option if possible.
client = Faye::WebSocket::Client.new('wss://example.com/', [], tls: {
verify_peer: false
})
To get the new behaviour, please upgrade to v0.11.0 of the Rubygems package. There are, unfortunately, no workarounds for this issue, as you cannot enable :verify_peer in EventMachine unless the calling library contains an implementation of ssl_verify_peer that actually checks the server's certificates.
For further background information on this issue, please see faye#524 and faye-websocket#129. We would like to thank Tero Marttila and Daniel Morsing for providing invaluable assistance and feedback on this issue.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "faye-websocket"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-15133"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2020-07-31T17:39:00Z",
"nvd_published_at": "2020-07-31T18:15:00Z",
"severity": "HIGH"
},
"details": "The `Faye::WebSocket::Client` class uses the [`EM::Connection#start_tls`][1] method in [EventMachine][2] to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to.\n\nThis has been a requested feature in EventMachine for many years now; see for example [#275][3], [#378][4], and [#814][5]. In June 2020, [em-http-request][6] published an [advisory][7] related to this problem and fixed it by [implementing TLS verification][8] in their own codebase; although EventMachine does not implement certificate verification itself, it provides an extension point for the caller to implement it, called [`ssl_verify_peer`][9]. Based on this implementation, we have incorporated similar functionality into [faye-websocket for Ruby][10], such that we use the `OpenSSL` module to perform two checks:\n\n- The chain of certificates presented by the server is valid and ultimately trusted by your root certificate set -- either your system default root certificates, or a set provided at runtime\n- The final certificate presented by the server is valid for the hostname used in the request URI; if the connection is made via a proxy we use the hostname from the request, not the proxy\u0027s hostname\n\nAfter implementing verification in v1.1.6, em-http-request has elected to leave the `:verify_peer` option switched off by default. We have decided to _enable_ this option by default in faye-websocket, but are publishing a minor release with added functionality for configuring it. We are mindful of the fact that this may break existing programs, but we consider it much more important that\nall clients have TLS verification turned on by default. A client that is not carrying out verification is either:\n\n- talking to the expected server, and will not break under this change\n- being attacked, and would benefit from being alerted to this fact\n- deliberately talking to a server that would be rejected by verification\n\nThe latter case includes situations like talking to a non-public server using a self-signed certificate. We consider this use case to be \"working by accident\", rather than functionality that was actively supported, and it should be properly and explicitly supported instead. To that end, we have added two new options to the `Faye::WebSocket::Client` constructor: `tls.root_cert_file`, and `tls.verify_peer`.\n\nThe `:root_cert_file` option lets you provide a different set of root certificates in situations where you don\u0027t want to use your system\u0027s default root certificates to verify the remote host. It should be a path or an array of paths identifying the certificates to use instead of the defaults.\n\n```rb\nclient = Faye::WebSocket::Client.new(\u0027wss://example.com/\u0027, [], tls: {\n root_cert_file: \u0027path/to/certificate.pem\u0027\n})\n```\n\nThe `:verify_peer` option lets you turn verification off entirely. This should be a last resort and we recommend using the `:root_cert_file` option if possible.\n\n```rb\nclient = Faye::WebSocket::Client.new(\u0027wss://example.com/\u0027, [], tls: {\n verify_peer: false\n})\n```\n\nTo get the new behaviour, please upgrade to v0.11.0 of the [Rubygems package][10]. There are, unfortunately, no workarounds for this issue, as you cannot enable `:verify_peer` in EventMachine unless the calling library contains an implementation of `ssl_verify_peer` that actually checks the server\u0027s certificates.\n\nFor further background information on this issue, please see [faye#524][12] and [faye-websocket#129][13]. We would like to thank [Tero Marttila][14] and [Daniel Morsing][15] for providing invaluable assistance and feedback on this issue.\n\n[1]: https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tls\n[2]: https://rubygems.org/gems/eventmachine\n[3]: https://github.com/eventmachine/eventmachine/issues/275\n[4]: https://github.com/eventmachine/eventmachine/pull/378\n[5]: https://github.com/eventmachine/eventmachine/issues/814\n[6]: https://rubygems.org/gems/em-http-request\n[7]: https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request\n[8]: https://github.com/igrigorik/em-http-request/pull/340\n[9]: https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peer\n[10]: https://rubygems.org/gems/faye-websocket\n[12]: https://github.com/faye/faye/issues/524\n[13]: https://github.com/faye/faye-websocket-ruby/pull/129\n[14]: https://github.com/SpComb\n[15]: https://github.com/DanielMorsing",
"id": "GHSA-2v5c-755p-p4gv",
"modified": "2023-05-16T16:01:20Z",
"published": "2020-07-31T17:40:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15133"
},
{
"type": "WEB",
"url": "https://github.com/eventmachine/eventmachine/issues/275"
},
{
"type": "WEB",
"url": "https://github.com/eventmachine/eventmachine/issues/814"
},
{
"type": "WEB",
"url": "https://github.com/faye/faye/issues/524"
},
{
"type": "WEB",
"url": "https://github.com/eventmachine/eventmachine/pull/378"
},
{
"type": "WEB",
"url": "https://github.com/faye/faye-websocket-ruby/pull/129"
},
{
"type": "WEB",
"url": "https://github.com/igrigorik/em-http-request/pull/340"
},
{
"type": "WEB",
"url": "https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye"
},
{
"type": "PACKAGE",
"url": "https://github.com/faye/faye-websocket-ruby"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faye-websocket/CVE-2020-15133.yml"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request"
},
{
"type": "WEB",
"url": "https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peer"
},
{
"type": "WEB",
"url": "https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tls"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Missing TLS certificate verification in faye-websocket"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.