The maintainers of Ruby have fixed a serious flaw in its SSL client that could have allowed an attacker to conduct man-in-the-middle attacks by spoofing an SSL server.
The vulnerability lies in the OpenSSL toolkit that’s built in to Ruby and is present in several versions of the software from 1.8 through 2.0. An attacker exploiting the flaw could impersonate a trusted SSL server and intercept protected traffic intended for that server. The Ruby maintainers have released patches for the bug.
“A vulnerability in Ruby’s SSL client that could allow man-in-the-middle attackers to spoof SSL servers via valid certificate issued by a trusted certification authority,” the Ruby advisory says. “When a CA a SSL client trusts allows to issue the server certificate that has null byte in subjectAltName, remote attackers can obtain the certificate for ‘www.ruby-lang.org.example.com’ from the CA to spoof ‘www.ruby-lang.org’ and do man-in-the-middle between Ruby’s SSL client and SSL servers.”