inappropriate TLS Certificate Validation in Faye-WebSocket

Missing TLS Certificate Verification in Faye-WebSocket

CVE-ID: 2020-15133

Versions: < 0.11.0

Package URL: https://rubygems.org/gems/faye-websocket

Tested on: Ruby 2.7.2, Faye-WebSocket v0.10.0, EventMachine v1.2.7

Vulnerability Description

In faye-websocket before version 0.11.0, there is a lack of certificate validation in TLS handshakes. The Faye::WebSocket::Client class uses the EM::Connection#start_tls method in EventMachine to implement the TLS handshake for wss: URLs. This method does not verify that the server presents a valid and trusted TLS certificate for the expected hostname, making any wss: connection vulnerable to a man-in-the-middle attack.

Example Scenario: Vulnerable WebSocket Connection

Consider a web application using faye-websocket for real-time messaging.

Setup the Vulnerable Application:

require 'faye/websocket'
require 'eventmachine'

EM.run {
  ws = Faye::WebSocket::Client.new('wss://example.com/')

  ws.on :open do |event|
    p [:open]
    ws.send('Hello, world!')
  end

  ws.on :message do |event|
    p [:message, event.data]
  end

  ws.on :close do |event|
    p [:close, event.code, event.reason]
    ws = nil
  end
}

Exploit the Vulnerability:
- An attacker can perform a man-in-the-middle attack by intercepting the WebSocket connection and presenting an invalid TLS certificate.
- Since EM::Connection#start_tls does not verify the certificate by default, the client will accept the connection without validating the server's identity.
Payload Example:
The attacker intercepts the WebSocket handshake and presents a self-signed or invalid certificate, allowing them to read or modify the data sent over the connection.

Issue Replication

To replicate the issue, follow these steps:

Setup a proxy to intercept WebSocket connections:
- Use a tool like Burp Suite or OWASP Zap.
Intercept the WebSocket handshake:
- Intercept the connection initiated by the faye-websocket client.
Present an invalid TLS certificate:
- Use the proxy to present an invalid or self-signed TLS certificate to the client.
- Observe that the client accepts the connection without validating the certificate, demonstrating the vulnerability.

Fix

Upgrading to faye-websocket version 0.11.0 fixes this issue by enabling certificate verification by default.

client = Faye::WebSocket::Client.new('wss://example.com/', [], tls: {
  verify_peer: true
})

Recommendations

Upgrade to faye-websocket version 0.11.0 or later.
Ensure that the :verify_peer option is enabled to enforce TLS certificate verification.

Remediation Code Example

To ensure TLS certificate verification, configure the faye-websocket client as follows:

client = Faye::WebSocket::Client.new('wss://example.com/', [], tls: {
  verify_peer: true
})

If you need to provide a custom root certificate, use the :root_cert_file option:

client = Faye::WebSocket::Client.new('wss://example.com/', [], tls: {
  root_cert_file: 'path/to/certificate.pem'
})

In Node.js, the configuration would be:

var client = new faye.Client('wss://example.com/', {
  tls: {
    ca: fs.readFileSync('path/to/certificate.pem')
  }
});

Further Information

For further background information on this issue, please see:

We would like to thank Tero Marttila and Daniel Morsing for their invaluable assistance and feedback on this issue.

Vulnerability Disclosure Timeline

Following responsible disclosure guidelines, we reported this issue to the faye-websocket maintainers. The issue was fixed in version 0.11.0, which enables TLS verification by default.

PreviousMissing TLS Certificate Verification in Faye-WebSocket NextImproper Validation of Certificate with Host Mismatch in Java-WebSocket

Last updated 1 year ago