Missing TLS Certificate Verification in Faye-WebSocket

Missing TLS Certificate Verification in Faye

Versions: < 1.4.0

Package URL: https://rubygems.org/gems/faye

Tested on: Ruby 2.7.2, Faye v1.3.0, EventMachine v1.2.7

Vulnerability Description

The Faye library, before version 1.4.0, is vulnerable to a man-in-the-middle attack due to missing TLS certificate verification in its WebSocket connections. Faye relies on em-http-request and faye-websocket in the Ruby version of its client. These libraries use the EM::Connection#start_tls method in EventMachine to implement the TLS handshake for wss: URLs. This method does not verify that the server presents a valid and trusted TLS certificate for the expected hostname by default, making any https: or wss: connection vulnerable.

The first request made by a Faye client is via normal HTTP, but subsequent messages may be sent via WebSocket, exposing them to the same vulnerability.

Example Scenario: Vulnerable Web Application

Consider a web application using Faye for real-time messaging.

1. Setup the Vulnerable Application:

   require 'faye'
   
   EM.run {
     client = Faye::Client.new('wss://example.com/faye')
     
     publication = client.publish('/some/channel', 'text' => 'Hello world')
     
     publication.callback do
       puts 'Message received by server!'
     end
   
     publication.errback do |error|
       puts "There was a problem: #{error.message}"
     end
   }

2. Exploit the Vulnerability:

   • An attacker can perform a man-in-the-middle attack by intercepting the WebSocket connection and presenting an invalid TLS certificate.

   • Since EM::Connection#start_tls does not verify the certificate by default, the client will accept the connection without validating the server's identity.

Issue Replication

To replicate the issue, follow these steps:

1. Setup a proxy to intercept WebSocket connections:

   • Use a tool like Burp Suite or OWASP Zap.

2. Intercept the WebSocket handshake:

   • Intercept the connection initiated by the Faye client.

3. Present an invalid TLS certificate:

   • Use the proxy to present an invalid or self-signed TLS certificate to the client.

   • Observe that the client accepts the connection without validating the certificate, demonstrating the vulnerability.

Fix

Faye v1.4.0 fixes this issue by enabling certificate verification by default. The :verify_peer option is now switched on by default in Faye.

client = Faye::Client.new('https://example.com/', tls: { verify_peer: true })

Recommendations

• Upgrade to Faye version 1.4.0 or later.

• Ensure that the :verify_peer option is enabled to enforce TLS certificate verification.

Remediation Code Example

To ensure TLS certificate verification, configure the Faye client as follows:

client = Faye::Client.new('https://example.com/', tls: { verify_peer: true })

In Node.js, the configuration would be:

var client = new faye.Client('https://example.com/', {
  tls: {
    ca: fs.readFileSync('path/to/certificate.pem')
  }
});

Further Information

For further background information on this issue, please see:

• faye#524

• faye-websocket#129

We would like to thank Tero Marttila and Daniel Morsing for their invaluable assistance and feedback on this issue.

Vulnerability Disclosure Timeline

Following responsible disclosure guidelines, we reported this issue to the Faye maintainers. The issue was fixed in Faye v1.4.0, which enables TLS verification by default.