CVE-2022-32224 - Escalation to RCE Vulnerability in YAML Serialized Columns of Active Record

A recent vulnerability, assigned the CVE number CVE-2022-32224, has been discovered that puts certain versions of the Active Record application at risk. This vulnerability is an escalation to Remote Code Execution (RCE) issue which affects applications that use YAML serialized columns in Active Record versions < 7..3.1, < 6.1.6.1, < 6..5.1, and < 5.2.8.1. Attackers who can manipulate data in the database via methods such as SQL injection may leverage this vulnerability to execute arbitrary code on the server, potentially leading to unauthorized access or control.

In this post, we will discuss the details of this vulnerability, provide code snippets to illustrate the issue, and share links to relevant resources for more information and remediation.

Background

Active Record is a widely used Object Relational Mapping (ORM) framework in Ruby on Rails applications. It provides a simple and effective way to interact with the underlying database systems like MySQL, PostgreSQL, and SQLite, while handling the conversion between data types.

One of the functionalities that Active Record offers is the ability to store and retrieve Ruby objects using the YAML serialization format. However, this convenience comes with a price as the deserialization of malicious YAML can lead to RCE.

Vulnerability Details

The vulnerability lies in the way Active Record processes YAML serialized data in columns. When an attacker can manipulate the data in the database, they could generate a serialized YAML payload with embedded Ruby code that would get executed when the application reads the data.

They insert a serialized YAML payload containing malicious Ruby code as a string into the database.

3. As soon as the application reads the data, the payload gets deserialized, and the Ruby code gets executed on the server.

To demonstrate the issue, let us consider the following code snippet

class User < ApplicationRecord
  serialize :preferences, YAML
end

uir = User.create(name: "Alice", preferences: {theme: "dark", language: "en"})
uir.preferences # => {:theme=>"dark", :language=>"en"}

In this example, the preferences column has been set up to use YAML serialization. An attacker might use SQL injection or another attack vector to insert a malicious payload, like this:

--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess
theme: dark
language: en
payload: !ruby/object:Pwn
  code: puts "Remote Code Executed"

When this payload is read from the database and deserialized, it will execute the Ruby code contained in the payload field, demonstrating the RCE vulnerability.

Solution & Recommendations

To mitigate this vulnerability, it is recommended to update your Active Record installation to the following versions, depending on your current version:

5.2.8.1 or later for users of Active Record 5.2.x

You can find more details about the respective mitigation steps by visiting the official release notes:

- Active Record 7..3.1 Release Notes
- Active Record 6.1.6.1 Release Notes
- Active Record 6..5.1 Release Notes
- Active Record 5.2.8.1 Release Notes

In summary, the CVE-2022-32224 vulnerability poses a significant risk to applications using YAML serialized columns in certain versions of Active Record. It is crucial to update your Active Record installation to the recommended versions and stay vigilant about other potential attack vectors, such as SQL injection, that could be used to exploit this vulnerability.

Timeline

Published on: 12/05/2022 22:15:00 UTC
Last modified on: 12/08/2022 13:20:00 UTC