Ruby on Rails DoubleTap RCE (CVE-2019-5420)
Description
Ruby on Rails applications running in development mode are vulnerable to remote code execution through the ActiveStorage component. In development mode, Rails uses a predictable application name as the secret_key_base, which allows attackers to forge valid cryptographic signatures for malicious serialized payloads. When ActiveStorage deserializes these crafted payloads, it executes arbitrary operating system commands, leading to complete system compromise.
Remediation
Take the following steps to remediate this vulnerability:
1. Upgrade Ruby on Rails immediately
Update to a patched version: Rails 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1 or later.
2. Never run production applications in development mode
Ensure the RAILS_ENV environment variable is set to 'production' in all production deployments:
export RAILS_ENV=production
3. Use strong, unique secret_key_base values
Generate a cryptographically secure secret key and configure it in your production environment:
rake secretThen set it in config/credentials.yml.enc or as an environment variable:
export SECRET_KEY_BASE=your_generated_secret_here
4. Verify your configuration
Confirm that development mode is disabled and a strong secret_key_base is configured before deploying to production.